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AUTOMATIC  PROGRAM  VERIFICATION  It 
A  LOGICAL  BASIS  ANO  ITS  IMPLEMENTATION 


by 

Snigeru  Igarashi,  Ralph  L.  London,  and  David  C.  Luckham 


1.  INTRODUCTION 

Verifying  that  a  computer  program  is  correct  has  been  discussed  in 
many  recent  publications,  for  example  (Hoare  1969,  King  1969, 
McCarthy  and  Painter  19S7] ,  The  "correctness  problem"  or 
"verification  problem"  has  become  popular  essentially  because  it 
represents  a  significant  first  stsp  touards  uriting  programs  that  can 
be  guaranteed  to  do  uhat  their  authors  intended.  Thsre  are  eeveral 
different  interpretations  of  exactly  uhat  it  means.  Here,  ue  adopt 
the  point  of  view  that  a  program  has  been  "verified"  uhen  it  is 
proved  within  a  system  of  logic  to  be  consistent  uith  documentation, 
i.e.  a  statement  of  uhat  it  is  supposed  to  do.  Our  discussion  is 
restricted  to  programs  that  can  be  ur itten  in  a  very  precise  modern 
programming  iangage,  Pascal  [Uirth  19711.  Of  course,  we  do  riot  deal 
with  all  Pascal  programs,  but  with  a  subset  that  is  rich  enough  to 
include  published  algorithms  such  as  FIND  [Hoare  197 lb],  TREES0RT3 
[Floyd  1964],  a. id  a  simple  compiler  [McCarthy  and  Painter  1967]. 
Since  T-scal  is  an  Algol-like  language  ue  expect  that  uhat  is  done 
here  can  be  repeated  uithout  mucn  effort  for  Algol  or  other  euch 
languages.  Ue  adopt  a  DOCUMENTATION  LANGUAGE  that  is  roughly 
speaking  the  language  of  quantified  Algol  Boolean  expressions,  (i.e. 
first-order  number  theory  uith  definitional  extension  and  some 
notational  con 'en i ences) .  It  does  not  contain  any  constructs  for 
representing  such  notions  as  tense  (time  dependency),  possibility 
(can  do),  etc.  that  may  ue I  I  prove  useful  in  describing  programs.  So 
the  documentation  language  is  a  slight  extension  of  uhat  programmers 
normally  use  to  state  those  conditions  on  computations  that  control 
their  programs.  Statements  of  the  documentation  language  are  called 
ASSERTIONS.  A  documented  program  is,  for  us,  a  Pascal  program  in 
u'-'ich  assertions  have  been  placed  betueen  its  statements  at  certain 
points.  Ue  refer  to  such  programs  uith  documentation  as  ASSERTED 
PROGRAMS. 

The  general  idea  of  hou  to  go  about  verifying  an  asserted  program  is 
to  reduce  this  problem  to  questions  about  whether  certain  associated 
logical  conditions  (henceforth  called  VERIFICATION  CONDITIONS)  are 
true  of  (i.e.  theorems  in)  various  standard  first-order  theories. 
The  usual  method  of  reduction  (Floyd  1967]  involves  enumerating  all 
possible  paths  betueen  assertions  in  the  program  and  then  computing  a 
verification  condition  for  each  path  in  terms  of  operations  and 
assertions  on  that  path;  these  verification  conditions  must  then  be 
proved.  See  London  [1972]  for  a  bibliography  of  existing  programs 
for  generating  verification  conditions. 


However ,  in  the  case  of  Pascal,  a  rigorous  definition  of  the 
semantics  has  been  given  in  terms  of  axioms  and  rules  of  inference 
that  must  be  valid  for  each  syntactic  constructor*,  this  is  contained 
in  the  recent  work  of  Hoare  and  U i r th  (19721 .  This  approach  to 
defining  the  semantics  of  a  programming  language  ylelde  a  deduction 
system  in  which  proofs  that  programs  satisfy  spec  1 f i cat  1  one  may  be 
given  (see  Hoare  1196*?.  1971al ) .  Such  proofs,  of  course,  depend  on  the 
truth  of  first-order  conditions,  or  to  put  it  another  way,  standard 
first-order  theories  are  sub-systems  of  the  deduction  system  for 
Pascal.  For  the  sake  of  illustration,  Example  1  ehowe  a  proof  in 
Hoare’s  system  that  the  program  in  step  13  computes  the  quotient  q 
and  remainder  r  of  the  inputs  x  and  y.  The  rules  of  inference  used 
here  are  the  rules  in  Table  t  (Section  3.1)  and  the  iteration  rule 
below.  The  logical  conditions  assumed  by  this  proof  are  labeled 

" I emma" . 


Iterations  PaQ  (Ai  P ,  Pa-*QdR 

P  (wh  i  le  Q  do  AIR 

1. 

true  -•  x  =  x  +  y#0 

Lemma  1 

2. 

x  »  x  +  y  *  0  (r  «-  x)  x  »  r  +  y  #  0 

Cl 

3. 

x  «=  r  +  y  *  0  lq*-0l  x  ■  r  +  y  *  q 

Cl 

4. 

true  lr*-xl  x  »  r  +  y  #  0 

CS  (1,2) 

S. 

true  (r  «-  x ;  q  *-  0 )  x  •  r  +  y  #  q 

C7  (4,?) 

6. 

x"r  +  y*qAySr-»x«  (r-y)  +  y  *  (1+q) 

Lemm4  2 

7. 

x  e  (r_y)  +  y  *  (1+q)  (r  «-  r-yl  x  -  r  +  y  *  (1+q) 

Cl 

8. 

x  -  r  +  y  *  (1  +  q)  (q  «-  1+qi  x  -  r  +  y  *  q 

Cl 

9. 

x  -  (r-y)  +  y  *  (1+q)  (r  <-  r-y;  q  «-  1  +  q) 

x  -  r  +  y  *  q 

C7  (7,8) 

ie. 

x  «  r  +  y  *  q  a  y  i  rlr  r-ys  q  *-  1+q) 

x  -  r  +  y  *  q 

CS  (6,9) 

11. 

x-r  +  y*qn->y<r-*-,ySrAx»r  +  y*q 

Lemma  3 

12. 

x  .  r  +  y  *  q  (while  y  S  r  do(r  *-  r-y*,n  *-  1  +  q)) 

-,y*'rAx»r  +  y»q  Iteration  (10,11) 

13. 

true  <  (  (r  -  x;  q«-0)  ;  while  y  S  r  do  (r  *-  r-y;  q  *- 

-ySrAX  »r  +  y*q 

1+q))) 

C7  (5,12) 

EXAMPLE  1: 


FORMAL  VERIFICATION  OF  QUOTIENT-REMAINDER  PROGRAM 


It  is  possible  to  generate  the  verification  conditions  for  an 
asserted  program  merely  by  using  a  subgoaler  for  the  deduction 
system.  EXAMPLE  2  shous  hou  such  a  subgoaler  works  on  the 
Quotient-Remainder  program  of  Example  1;  it  simply  searches  for  a 
rule  o f  inference  which  has  the  current  goal  as  its  conclusion  and 
then  generates  the  premisses  of  the  rule  as  subgoale. 


Goal.  true  (r  +  x;  q  <-  0(  assert  x  -  r  +  y  *  qs 

while  y  S  r  do  begin  r  ♦-  r-yi 


q  +  1+q  end)  -(ysr)  a  (x  ■  r  +  y  *  q) 

Subgoal  1. 

true  (r  <-x;q*-0!xxr  +  y*q  C7  (Goal) 

Subgoal  2. 

x  -  r  +  y  *  q  (while  y  S  r  do  begin  r  «-  r-y; 
q  1  +  q  end)  —  ( y  S  r)  a  (x  ■  r+y*q) 

C7  (Goal) 

Lemma  3. 

(x  -  r  +  y  *  q)  a  -  (y  s  r)  -*  -  (y  S  r)  a  (x  -  r+y*q) 

Iteration  (Subgoal  2) 

Subgoal  3. 

(x  -  r+y*q)  a  (ySr)  Ir  *-  r-yjq  1+q)  x  »  r  +  y»q 

Iteration  (Subgoa 1  2) 

Subgoal  4. 

(x  ■  r  +  y*q)  a  (y<r)  Ir  *■  r-y)  x  ■  r  +  y»(l  +  q) 

C7  (Subgoa 1  3) , 
then  Cl  (Subgoal  3) 

Lemma  2 . 

(x»r  +  y*q)  A(ySr)-*  x«  (r-y) +y*  (1+q)  Cl  (Subgoal  4), 

then  C5  (Subgoal  4) 

Subgoa 1  5. 

true(r  *■  x)  x  ■  r+y*0  C7  (Subgoal  1), 

then  Cl  (Subgoal  1) 

Lemma  1. 

true  -*x»x  +  y#E  Cl  (Subgoal  5), 

then  C5  (Subgoal  5) 

EXAMPLE  2: 

GENERATION  OF  THE  VERIFICATION  CONDITIONS  FOR 
QUOTIENT-REMAINDER  PROGRAM 

THE 

Note  that,  for  example,  subgoal  *  is  obtained  from  subgoal  3  by  using 
C"  (composition  rule)  to  split  the  compound  statement  at  the 
semi-colon:  Q  is  set  to  x  -  r+j*<l+q)  by  applying  Cl  (assignment 
axiom)  so  that  the  ether  subgoal  is  x  •  r+y*il+q)  (q  +■  1+ql  x  •  r+y*q 
which  is  an  instance  cf  the  assignment  axiom  and  hence  is  satisfied. 
If  the  first-order  "le»mas"  produced  by  the  subgoaler  are  true  of  the 
relevant  theories  (in  this  case,  number  theory)  then  we  know  that 
there  will  be  a  proof  verifying  the  Quotient-Remainder  program  in 

Hoare’s  system.  These  verification  conditions  are  sufficient 

cond 1 t I ons . 


3 


This  is  the  approach  to  generating  verification  conditions  presented 
here.  Ue  use  a  simple  subgoaling  program  for  hoare’s  deduction 
system.  Although  this  program  will  accept  a  significant  subset  of 
Pascal  programs,  it  is  itself  very  simple  since  it  does  not  analyze 
the  object  program  explicitly  out  merely  repeatedly  applies  a  list  of 
rules  of  inference.  It  is  easily  shown  to  be  sound  (see  below), 
easi ly  extended  to  accept  additional  syntax  (FOR  statements,  new  type 
declarations,  etc.),  and  easily  changed  to  take  account  of  new 
defintions  of  the  semantics.  Ue  refer  to  this  eubgoaler  as  VCG 
(Verification  Condition  Generator);  details  of  its  implementation  are 
given  in  Section  4  and  sample  outputs  in  Section  5. 

However,  there  are  problems.  At  any  step  more  than  one  deduction 
rule  may  be  applicable  to  generate  further  subgoals.  To  deal  with 
this  ambiguity,  we  have  chosen  a  set  of  deduction  rules  (some  of  them 
derived  rules  in  Hoare's  system)  for  subgoal  generation  which  is 
unambiguous.  Ue  shall  shou  that  this  set  ;s  deduction  complete.  This 
means  that  if  a  particular  verification  can  be  proved  in  Hoare’s 
system,  then  VCG  will  produce  a  sufficient  set  of  verification 
conditions  from  which  such  a  proof  may  then  be  constructed.  However, 
these  conditions  may  not  be  provable  unless  the  user  supplies  certain 
crucial  assertions  at  intermediate  points  in  his  program  (e.g.  an 
invariant  for  each  loop).  Finally  ue  also  need  to  know  .hat  the 
deduction  system  is  consistent. 

Section  3  deals  with  these  logical  problems.  Ue  give  a  small  set  of 
axioms  and  deduction  rules,  called  the  CORE,  from  which  all  of 
Hoare's  rules  can  be  derived;  some  sample  derivations  are  included.  A 
straight-forward  set  theoretic  model  of  the  core  is  constructed;  thie 
gives  us  a  semantic  proof  of  consistency  of  the  core.  The  set  of 
rules  used  by  VCG  is  given  and  is  shown  to  be  consistent  with  the 
core  and  powerful  enough  to  derive  the  core  (hence  deduction 
completeness).  Preliminary  comments,  definitions  and  examples 

concerning  Pascal  programs,  the  assertion  language  and  asserted 
programs  are  given  in  Section  2. 

VCG  is  already  a  useful  tool.  Numerous  example  programs  have  been 
verified  by  manually  proving  the  verification  conditions.  More 
interestingly,  and  of  more  promise,  VCG  is  intended  to  be  the  initial 
part  of  an  automatic  verification  and  debugging  system.  The  overall 
plan  is  shown  in  Figure  1.  Asserted  programs  are  input  to  VCG.  The 
output  verification  conditions  are  simplified  relative  to  data  files 
containing  relevant  properties  of  the  operators  and  functions  in  the 
conditions.  It  will  become  evident  from  the  examples  in  Section  5 
that  a  great  deal  of  elementary  simplification  of  verification 
conditions  is  both  necessary  and  easy  to  do.  The  truth  of  many  of 
the  conditions  will  be  established  at  the  simplification  stage. 
Next,  the  condition  Analyzer  is  intended  to  reduct  problems  given  to 
the  theorem  prover  and  to  find  bugs.  It  attempts  to  claeeify 
verification  conditions  according  to  probable  method  of  proof  and  to 
generate  simpler  subproblems,  and  also  attempts  to  find  the  closest 
similar  condit'on  that  is  provable  when  a  proof  of  a  given  condition 


IS  not  found.  This  latter  kind  of  analysit  is  one  method  of  catching 
b  u  g  s  -  -  f  indincj  missing  assumptions  in  verification  conditions. 
Currently  a  development  of  the  theorem-prover  of  Allen  and  Luckham 
[19703  is  being  used  successfully  by  J.  Morales  to  prove  conditions 
output  by  VCG  for  various  sorting  programs  (see  Section  5.4).  This 
proposed  system  thus  appears  to  have  a  good  chance  of  being  developed 
into  something  useful. 

Uhat  has  become  evident  is  that  VCG  Is  not  a  trivial  element  in  this 
type  of  verification  system.  In  order  to  make  such  a  system 
practical,  the  amount  of  documentation  the  user  is  required  to  supply 
with  his  program  should  be  restricted  to  uhat  uould  be  considered 
natural  for  human  understanding  of  uhat  the  program  and  its 
sub-programs  do.  At  the  moment  VCG  places  rather  more  ueight  on 
documentation  than  we  uould  like.  Houever  it  Is  already  easy  to  see 
hou  to  extend  VCG  by  adding  some  additional  rules  that  u 11  I  permit  it 
to  deduce  intermediate  documentation  for  Itself  In  some  cases. 


|  DATA  FILES  | 


a  I 

Input  I  v 

r'vCG  !  I  SIMPLIFIER  |  |  ANALYZER  |  — >  |  THEOREM  | 

.... >  — >  I  |—  >  I  |<— IPROVER  I 


v  v 


|  OUTPUT  |  |  OUTPUT  | 


|  DATA  FILES  | 


a  I 
I  v 


FIGURE  It  PLANNED  AUTOMATIC  VERIFICATION  AND  DEBUGGING  SYSTEM 


2.  PROGRAMS  WITH  ASSERTIONS 


2.1  PASCAL. 

A  comprehensive  definition  of  Pascal  Is  publisheo  by  Wirth 
11971,19721  and  Hoare  and  Uirth  Q9721 .  Our  choice  of  Pascal  ae  the 
programming  language  is  motivated  by  the  development  of  Hoare’s 
deduction  system  and  its  use  to  define  the  semantics  of  Pascal. 
Pascal  is  an  Algol-like  language  so  a  reader  familiar  with  Algol  will 
have  no  trouble  understanding  the  examples  of  programs  and  condition 
generation  in  this  paper.  Thus  instead  of  including  a  definition  of 
Pascal  here,  we  shall  point  out  some  of  the  main  differences  of 
concern  to  us  between  Pascal  and  Algol.  The  following  example  shows 
a  program  containing  a  procedure  definition,  variable  dec  I arat i one,  a 
recursive  function  definition  and  a  program  body  which  cal  I e  the 
procedure  and  function;  it  is  written  firet  in  Algol  and  then  in 
Pascal . 


ALGOL  PROGRAM: 

BEGIN 

INTEGER  ALPHA,  BFTA ,  QUOT,  REM,  Q,  R,  X,  V,  I; 

PROCEDURE  QUOTREM (R , 0, X, V ) ;  VALUE  X,  V;  INTEGER  R,  Q,  X,  Y; 
BEGIN  R  X;  Q  0; 

FOR  I  1  WHILE  Y  $  R  DO 

BEGIN  R  :  -  R'  -  Y;  Q  1  +  Q  END 

END; 

INTEGER  PROCEDURE  FACT (N) ;  INTEGER  N; 

BEGIN  IF  N  -  0  THEN  FACT  1  ELSE  FACT  s-  N  *  FACT (N-l )  END; 

BETA  : »  3;  X  : -  G;  ;-4; 

ALPHA  FACT (BETA) ; 

QUOTREM  (QUOT .  REM,  X-*Y,  X-Y) ; 

Q  : -  QUOT;  R  : -  REM 
END 

PASCAL  PROGRAM: 

VAR  ALPHA,  BETA,  QUOT,  REM,  Q,  R,  X,  Y  :  INTEGER; 

PROCEDURE  QUOTREM (VAR  R,  Q  :  INTEGER;  X,  Y  ;  INTEGER); 

BEGIN  R  X;  Q  0; 

WHILE  Y  s  R  DO 

BEGIN  R  R  -  Y;  Q  1  +  Q  END 

END; 

FUNCTION  FACTfN: INTEGER)  :  INTEGER; 

BEGIN  IF  N  -  0  THEN  FACT  : -  1  ELSE  FACT  N  *  FACT (N-l )  END; 


BEGIN  BETA  3;  X  6:  Y  s-  4; 

ALPHA  FACT (BETA) ; 

QUOTREfl  (QUOT,  REN,  X+Y,  X-Y); 
Q  QUOT;  R  : -  REN 

END. 


EXANPLE  3:  A  PROGRAN  IN  ALGOL  AND  PASCAL 


The  differences  in  declaring  variables  are  unimportant  for  our 
purposes.  The  type  of  the  function  Is  indicated  after  the  right 
parenthesis  in  Pascal  rather  than  before  the  word  "PROCEDURE"  in 
Algol.  The  opening  "BEGIN"  in  Algol  appears  just  before  the  main 
program  m  Pascal.  In  the  formal  parameter  part  of  procedure  and 
function  definitions,  Pascal  includes  the  specification  of  the  formal 
parameters  inside  the  parentheses!  in  Algol  this  specification  ie 
made  after  the  list  of  parameters  to  be  called  by  value. 

The  remaining  difference  may  be  skipped  until  procedures  are 
discussed  in  detail  later.  The  word  "VAR"  in  the  Pascal  formal 
parameter  part  means  R  and  Q  are  variable  parameters.  The 
corresponding  actual  parameters  must  be  variables  (and  not  more 
general  expressions);  assignment  to  R  or  Q  in  the  body  of  the 
procedure  affects  the  corresponding  actual  parameters.  The  absence 
of  "VAR"  before  X  and  Y  means  X  and  Y  are  value  parameters  In  the 
Algol  68  sense  (representing  a  change  in  the  revised  Paecal  from  the 
original  definition).  The  corresponding  actual  parameters  must 
be  expressions  (of  which  a  variable  is  a  simple  case).  A  value 
parameter  represents  a  variable  local  to  the  procedure  to  uhich  the 
value  of  the  corresponding  actual  parameter  is  initially  assigned 
upon  activation  of  the  procedure.  Assignments  to  value  parameters 
from  within  the  procedure  are  permitted,  but  do  not  affect  the 
corresponding  actual  parameters.  (For  further  details  of  Pascal  see 
Uirth  (1971,  19721). 

At  tie  moment  VCG  will  accept  a  subset  of  legal  Pascal  programs  built 
up  from:  assignment,  while,  conditional,  and  go  to  etatementsj 
recursive  procedure  and  function  definitions  and  calls; 
one-dimensional  arrays  are  allowed  on  either  side  of  assignment 
statements. 


2.2  ASSERTIONS 

Assertions  are  conditions  on  the  state  of  the  computation  of  a 
program.  Thus,  if  assertion  P  is  placed  at  some  point  in  program  A, 
the  intention  is  that  when  A  is  run,  every  time  P  is  encountered  P 
must  be  true  of  the  current  computation  state  of  A. 
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Essentially,  our  assertion  language  allows  aeeertione  to  conta  n  any 
we  I  I  -  formed  formula  of  a  standard  first-order  theory  and  "J  a^ition, 
non-standard  relations  may  be  introduced  by  defln  tlone.  n 
we  have  adopted  a  slightly  more  ueable  and  readable  formal  I  anguag 

for  the  assertions  of  VCG. 

(i)  A  term  in  the  assertion  language  is  a  Pascal  expression. 

(ii)  Atomic  assertions  are  either  predicates  (l.e.  identifier®)  with 
terms  as  arguments  or  terms. 

(Mi)  Assertions  are  well-formed  logical  formulas  conetructed  from 
atomic  assertions  using  logical  connectives  and  quantifiers 
according  to  the  usual  uell-knoun  rules. 

Here  are  some  examples: 


(1)  X  -  Y+Z 

(2)  - ( Y<R)  a  (X  -  R+Y*Q) 

(3)  Z*P0UER(U,I)  -  POWER (X , Y) 


(4)  VKUlsK)  a  (KsN-1)  o  A  [K]  S  AIK+1D4 
PERHUTAT I  ON (A, A0) . 

tu.  first  three  assertions  are  expressions  i  r,  Pascal  (and  in  fact 
P  ipan  excressions  in  Algol)  and  use  a  precedence  among  operators  to 
!t^Tf7u  (biw-l?  Asser  t  i  on  (4)  i.  not  a  Booloan  .xpr.M.on 

in  Algol  (because  it  contains  a  quantifier)  nor  an  expression 

Pascal  (because  of  the  quantifier  and  implication). 

The  assertion  language  contains  d i f (.rent  connect i va.g.00 I  a  for  both 
T  MP1  I  TAT  I  ON  and  AND  to  improve  readability  of  verities  ion 
conditions.  The  precedence  order  of  connect  1 ves  and  ar , thmet . ca I 
operators,  predicates,  and  quantifiers  is: 


1.  S(and);  2.  -  (implies),  o  (implies):  3.  <,  >.  S,  it  4.  v,..+, 

5.  a  (and),  *,  /,  DIV,  MOD;  6.  V,  3. 


This  agrees  uith  the  precedence  in  Pascal  expreesions. 

NOTATION:  Assertions  and  Boolean  sxpressione  will  usually  be  denoted 

by  P, Q, R, S. 

2.3  ASSERTED  PROGRAHS 

Assertions  are  added  to  programs  as  additional  statements  beginning 
with  the  special  symbol  ASSERT,  namely 
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<assert  &tatement>  ASSERT  <aesertion> 

Thus  an  asserted  program  i  >  a  legal  Pascal  prograir  if  we  imagine  that 
the  syntax  of  the  Pascal  statement  ie  extended  by  adding  the  extra 
clause  be'ow  to  the  syntax  diagram  of  "statement"  (see  appendix  to 
Uirth  (19723): 


>  (  ASSERT  ) . >  |  ASSERTION  | - > 


The  assertions  at  the  entry  an  I  exit  of  a  procedure  definition, 
function  definition,  or  main  program  have  the  word  "ASSERT"  replaced 
by  "ENTRY"  and  "EXIT"  respectively.  Both  entry  and  exit  statements 
appear  at  vhe  beginning  of  the  unit. 

There  are  some  further  restrictions.  The  basic  rule  about  placing 
assertions  in  a  source  program  is  that  every  I oop  must  contain  at 
least  one  assertion.  This  requirement  is  met  If  there  is  an 
assertion  at  every  iteration  statement  (i.e.,  immediately  before  the 
statement)  and  an  assertion  at  every  label  (i.e.,  just  after  the 
label).  Although  these  requirements  are  not  a  necessary  condition, 
t hey  are  a  simple  and  convenient  sufficient  condition  tc.  guarantee  an 
assertion  in  every  loop.  An  assertion  is  required  for  the  exit  of  a 
program.  Uith  no  loss  of  generality  we  assume  a  single  exit. 
Assertions  may  optionally  be  placed  anywhere  else.  If  an  aeeertion 
is  missing  from  the  entrance,  VCG  will  assume  the  entry  assertion 
"UNRESTRICTED",  a  synonym  for  "TRUE".  A  source  program  with 
assertions  placed  to  meet  these  requirements  is  called  an  ASSERTED 
PROGRAM.  Examples  of  asserted  programs  are  given  in  Section  5. 

NOTATION:  Asserted  programs  will  be  denoted  by  A,B,C,D. 


2.  A  LOGIC  OF  ASSERTED  PROGRAMS 

Ue  review  briefly  here  the  elements  of  Hoare'e  inference  system  for 
proving  properties  of  programs. 

STATEMENTS  of  the  logic  are  of  three  kinds. 

( i )  assertions, 

(ii)  statements  of  the  form  PIAIQ  where  P,Q  are  assertions  and  A 
is  a  program  or  asserted  program. 

PIAIQ  means  "if  P  is  true  of  the  input'  state  and  A  halts  (or  halts 
normally  in  the  case  that  A  contains  a  GO  TO  to  a  label  not  in  A) 
then  Q  is  true  of  the  output  state". 
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(iii)  procedure  declarations  (definitions)  of  the  form  p  PRGC  K  whore 
p  is  a  procedure  name  and  K  is  a  program  or  aseerted  program 
(  the  procedure  body). 


There  is  an  irfinite  sst  of  variables  p,q,r,...  that  range  over 
procedures.  Thus  undeclared  procedure  names  occurring  in  statements 
are  free  variables  ranging  over  procedures. 

A  RULE  OF  INFERENCE  i;  a  transformation  rule  from  a  set  of  statements 
(premises,  say  H  ,.  ,,H  )  to  a  statement  (conclusion,  say  K)  that 
1  n 

is  always  of  kind  (ii).  Such  rules  are  denoted  by 

H . H 

1  n 


The  concept  of  PROOF  in  Hoare's  system  is  defined  in  the  usual  way  as 
a  sequence  of  statements  that  are  either  axioms  or  obtained  from 
previous  members  of  the  sequence  by  a  rule.  A  sequence  is  a  proof  of 
i  t s  end  statement. 

Ue  use  H  | |-  K  to  denote  that  K  can  be  proved  by  assuming  H.  H  j-  K 
denotes  the  same  thing  for  first  order  logic. 

Some  rules  have  the  existence  of  a  subproof  as  a  premise;  they  are  of 

vhe  form 

H  . H,  I  |  |  -  J 

1  n 


Such  rules  permit  deductions  of  assertions  on  recursive  procedure 
cal  Is. 


Ue  extend  the  definition  of  proof  to  include  the  notion  of  assumption 
or  dependency.  An  arbitrary  well-formed  formula  can  appear  in  a 
proof  sequence.  But  in  such  a  case  that  formula  is  said  to  have  a 
formula  identical  with  itself  as  its  (uni que)  assumption  formula. 
Each  formula  in  the  sequence  has  an  associated  set  of  assumption 
formulas,  which  can  be  empty,  and  which  must  be  empty  if  it  is  the 
end  formula  in  the  sequence.  Each  rule  of  inference  preserves  the 
assumptions  unless  specified  otherwise.  Thus  the  conclusion  of  a 
rule  of  the  form  R1  is  dependent  on  the  set  of  aesumptions  that  ie 
the  set-theoretic  union  of  the  sets  of  assumptions  of  the  premisses. 
In  other  words,  assumptions  are  inherited  from  premisses  to 
conclusions. 


Assumptions  can  be  discharged  ur.ly  if  the  rule  is  of  the  form  R2.  In 
this  case  the  assumption  formula  designated  by  I  can  be  discharged 
from  the  set  of  assumptions  associated  with  the  conclusion  designated 
by  K,  while  other  assumpt  '•  rnr  are  inherited. 

Intuitively  I  ||-  J  means  1  implies  J,  and  a  free  variable,  say  r, 
reads  "for  any  r". 

The  rules  of  inference  discussed  in  the  following  sections  all  have, 
with  one  exception,  at  most  two  premisses.  Proofs  may  be  represented 
in  the  usual  way  by  binary  trees. 

SUBSTITUTION  of  an  expression  t  for  a  variable  x  in  an  expression  E 
is  denoted  by  x 
El 

t. 

He  >-ote  that  the  termination  of  a  program  A  is  not  expressable  in 
Hoare’s  system  by  statements  of  the  form  P(A)Q.  On  the  other  hand, 
non- term i nat i on  can  be  expressed  by  statements  such  as  TRUE (A) FALSE. 
There  may  be  some  indirect  ways  of  constructing  formulae  that  mean  "A 
terminates  for  all  inputr  satisfying  P",  and  if  so,  it  would  be  nice 
to  know  for  what  class  of  programs  this  cf-n  be  done. 

REMARKS- 

Ue  presuppose  a  standard  firr.t-order  theory,  which  shall  be  denoted 
by  T.  representing  the  properties  of  the  primitive  functions  and 
predicates  used  in  Pascal.  However,  our  construction  Is  uniform  in 
that  choosing  different  first-order  theories  characterizing  possibly 
different  functions  and  p-edicates  doss  not  affect  the  framework.  A 
standard  model  of  the  theory  T  is  fixed  and  denoted  by  M. 

In  our  formal  system  there  are  three  kinds  of  procedure  names  we  have 
to  di St ingui sh: 

1)  Procedure  names  for  primitive  procedures.  For  instance  a  library 
procedure  whose  body  is  inherently  written  in  a  language  of  lower 
level  belongs  to  this  category.  (It  is  even  possible  for  ue  to 
regard  the  assignment  statement  as  such  a  procedure.) 

2)  Procedure  names  for  declared  procedures.  Ue  regard  procedure 
declarations  as  the  "defining  axioms"  of  such  procedure  names,  which 
constitute  nonlogical  axioms  in  our  system  and  shall  be  denoted  by  J. 
Ue  assume  J  does  not  assign  more  than  one  procedure  to  a  name. 

3)  Procedure  names  used  in  derivations.  In  the  formal  system  ue^uill 

use  procedure  names  which  should  intuitively  be  regarded  as  free 
variables".  which  represent  arbitrary  procedures.  In  proving 

me  tattv  orems  we  will  use  a  name  for  each  declared  procedure. 

Besides  the  above,  each  procedure  name  is  assumed  to  have  'arity",  so 
that  it  can  represent  or  vary  over  declared  procedures  with,  say,  m 
variable  parameters  and  n  value  parameters.  Such  a  procedure  will  be 
called  (m.n)-ary  and  the  m  (variable)  parameters  and  the  n  (value) 
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parameters  will  be  called  the  left  and  the  right  parameters, 
respectively. 

If  a  primitive  procedure  name,  say  q,  occure  in  a  program  about  which 
we  are  to  prove  a  certain  theorem,  we  have  to  either  give  a  eet  of 
(non  logical)  axioms  of  the  form  P(q(xiy)lR  or  a  defining  axiom  for  q. 
In  most  cases,  we  shall  assume  that  the  procedure  can  be  written  in 
Pascal  and  that  there  is  a  defining  axiom  for  It. 


3.  THE  BASIS  INFERENCE  SYSTEM  FOR  VCG. 

In  this  section  we  study  the  properties  of  the  set  V  of  axioms  and 
rules  of  inference  used  by  VCG.  One  of  our  main  concerns  is  that  the 
rules  of  inference  in  V  should  be  unambiguous  in  the  sense  that  only 
one  rule  is  applicable  to  generate  subgoals  from  any  given  goal.  This 
mil  certainly  be  the  case  if  no  two  rules  have  conclusions  which 
have  common  substitution  instances,  a  property  which  is  true  of  V. 
The  rules  of  V,  which  appear  as  Tabls  2  in  section  3.3,  are  simple 
combinations  of  Hoare’ s  original  set  of  rulee  H  given  in  Hoare 
[1971a,  p.  11R] .  Having  chosen  V,  we  must  establish  that  it  is  both 
sound  and  deduction  complete.  He  shall  show  first  that  a  set  C  of 
simple  rules  (the  CORE)  is  sound  and  that  any  rule  in  H  can  be 
derived  from  C.  Ue  then  show  that  V  and  C  are  i nter-dsr i vab I e.  Ue 
shall  begin  by  studying  the  relative  derivability  uhen  none  of  the 
sets  of  rules  contains  go  to’s  or  array  variables.  The  rules  H  are 
equivalent  to  the  following  set  of  rules. 


3.1  THE  CORE  RULES 

The  set  of  axioms  and  rules  of  the  core  is  given  in  Table  1.  Rules 
□3  (iteration).  07  (adaptation)  of  H  have  been  omitted;  04 
(alternation)  has  been  replaced  by  C3  (conditional).  Ue  have  added 
the  frame  axiom  (C2)  for  procedure  calls  and  the  and-or  rule  (CB)  ; 
Hoare's  substitution  rule  (06)  corresponds  to  our  left  and  right 
substitution  rules. 


NOTATION:  x.  y,  z  -  lists  of  variables;  p.q.r  -  procedure  names;s,  t 
-  lists  of  expressions;  <  -  procedure  body;  p(x;yl  -  denotes  CALL 
p ( x ; y )  where  x  and  y  are  the  left  and  right  parameters  of  p.  VAR(P) 
denotes  the  free  variables  of  P;  p(x;y)  PROC  K  denotes  a  declaration 
of  the  form  "PROCEDURE  p (x; y)  ;  BEGIN  K  ENO". 


AX  I  OMR 


Cl . 

,  i  gnmen  t  ax i oms: 

C2 . 

frame  ax i oms: 

C3 . 

procedure  declarations: 

C4 . 

logical  theorems: 

RULES 

P|  (x«-t)P 
t 

P(q(x;t))P  provided  -(x  c  VAR(P)) 
p[x;y)  PROC  K. 

P  forallPs.t.  |-P. 


C5.  consequence: 


noQ,  Q  (A) R 
P  (A)R 


P  (A) Q,  UdR 
PiAJP 


CG.  and/or:  PIAIQ.RIAIS  P(A)Q,  RiA)S 


PaRIAIQaS  PvRIAIQvS 

C7.  composition:  PIA1Q,  QIB1R 


P  (A:B)R 

C8.  conditional:  PaRIAIQ,  Pa-RIBIQ 


P  (I F  R  THEN  A  ELSE  BIQ 


C9.  substitution:  (L)  P ( k ; y) (q (x; y) ) Q (x; y) 

P(zsy)  (q(z;y))Q(z*,y) 
(R)  P ( x ; y)  Iq ( k ;  y)  I  Q (x; y) 


P ( k ;  s)  (q(x;  s) ) Q ( x s s) 

SUBJECT  TO  THE  RESTR I CT I ONS: li)  s  does  not  contain  members  of  x;  (ii) 
members  of  z  must  be  distinct  and  y  and  z  are  disjoint. 

C10.  procedure  call:  pfxjy)  PROC  K(p).  P Ir (x; y) ) Q| | -P  IK  (r  ) )  Q 

P  Ip  (x {  y )  1  Q 

where  p  does  not  occur  in  the  proof  of  the  right  hand  premiss, 
and  r  does  not  occur  in  any  other  assumption  in  that  proof. 

TABLE  1  C: THE  CORE  RULES. 


In  order  to  demo  is t r a t e  that  C  is  as  "powerful’  as  H  we  show  tha .any 
proof  in  H  of  P  (A I Q  can  be  transformed  into  a  proof  in  C  of  P  IA  IQ 
where  A’  is  a  program  equivalent  to  A.  An  application  of  a  rule  R 
(that  is  not  a  rule  in  C)  in  the  given  proof  is  to  be  replaced  by  a 
derivation  in  C  of  the  conclusion  of  R  assuming  the  premisses  of  R. 
The  transformed  proof  uill  use  only  rules  of  C  and  will  prove 
essentially  the  same  formal  statement.  It  is  clear  that  applications 
of  Hoare's  substitution  rule  (06)  can  be  replaced  by  successive 
applications  of  the  left  and  right  rules  (C9) .  Ue  therefore  need 
only  consider  the  following  three  rules. 
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(D4)  A  I  terna  t  i  on: 


PI (A) Q, 


P?  (BIQ 


if  R  then  PI  else  P2  i  i  f  R  then  A  else  B>  Q 
(D7)  Adaptation:  P (a; e) (p (a; e) ) R (a; e) 

P(a;  o)AVa(R(a;e):>S(a;e))!p(a;e)IS(a;e) 
(D3)  Iteration:  P  ( A) S.  S|-  if  Q  then  P  e  I  a  3  R 

S  (wh i  I e  Q  do  AIR 

(a)  D4  is  derivable  in  C.  Let  P  in  the  conditional  rule  (C8)  be: 
i  f  R  then  PI  else  P2. 

1.  P1IAIQ,  P2(B)Q  assumptions  (premisses  of  D4) 

2.  PaRoPI  ,  Pa-RoP2 

3.  PaRIAIQ,  Pa-R(B1Q  consequence  (C5)  1,2 

4.  if  R  then  PI  else  P2  I  i f  R  then  A  else  BIQ 

cond i t i ona I  ( C 8 )  3. 

(b)  D7  is  derivable  in  C. 

1.  P (a: e)  (p (a: ell R  (a; e)  assumption  (premiss  07) 

2.  Va(R(a;e)3S(a:e) )  (p (a: e)  I  Va (R (a? e) bS (a;  e) ) 

frame  ax i om  (C2) . 

3.  P(a;e)AVa(R(a:e)bS(a:e)I  {p(c;o>)R(aje)A 

Va  (R  (a:  e)  bS  (a;  e) ) 

and  rula  (CS)  1,2. 

4.  P ( a ; e ) AVa (R (a; e) bS (a; e) I (p ( a ;  e)  I  S ( a  * e)  C5,3. 

Corresponding  to  any  uh  i  I  e  statement  "while  Q  do  A"  we  can  define  a 
recursive  procedure: 

procedure  uhiledef  (xjv): 

if  Q  then  begin  A:  call  wh i I edef (x; v) j end 
e I se  end 

where  x  is  the  list  of  variables  in  A  that  are  subject  to  change  in 
the  body  A,  and  v  is  the  list  of  all  other  variables  in  Q  or  A. 

He  consider  a  modified  form  of  the  iteration  rule: 
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(D3'l  P I A I S ,  S  3  if  Q  then  P  else  R 


Steal  I  wh i I edef (x; v) )  R 


03’ 

i s  der i vab  1  e  i n  C. 

1. 

P  lAi  5 

Aesumpt i on 

(premies 

03’). 

2. 

S  aQod 

Assumpt i on 

(premiss 

D3* ) 

3. 

Sa-QoR 

Aesumpt i on 

(premise 

03’) 

4. 

Sica1!  r  ( x ;  v )  I  R 

Assumpt i on 

5. 

P  1 A :  c  a  i  1  i  ( x ;  v )  i  R 

C7,  1,4 

G. 

SaQ  1  A; call  rvAjviin 

CS,  2,5 

7. 

Slif  Cl  then  begin  A;  call 
e 1 se  end) R 

rix;v)| end 

C8,  6,3 

8. 

Steal  1  wh i 1 ede f  ( x i v ) 1 R 

C10,  4,7 

If  tie  are  given  a  proof  in  H  of  P1AIQ  we  may  replace  applicatione  of 
D4  and  D7  by  the  proofs  (a)  and  ( b) j  an  application  of  D3  is  replaced 
by  a  proof  (c)  of  D3' .  Ue  will  then  have  a  proof  in  C  of  PIA’JQ 
where  A'  is  the  result  of  replacing  each  while  statement  in  A  by  a 
call  to  the  corresponding  whilede'  procedure.  Th i e  is  easily  proved 
tg  induction  on  the  length  of  the  proof.  Clearly  A’  is  equivalent  to 
A.  This  completes  the  proof  that  C  is  as  powerful  as  H. 

In  the  other  direction,  all  of  the  core  rules  except  the  frame  axiom 
and  the  and-or  rule  appear  in  H  with  minor  differences  and  are  easily 
shown  to  be  derivable  in  H.  Thus,  to  show  that  proofs  in  C  can  be 
carried  out  in  H,  we  need  only  be  :oncerned  with  eliminating  C2  and 
CG. 

Recall  that  a  Pascal  program  must  contain  definitions  of  all  called 
procedui es  except  library  procedures  and  there  are  a  finite  number  of 
those.  This  places  a  finite  bound  on  the  number  of  different 
procedures  that  can  ever  be  called  in  any  computation  of  a  program. 

d  .  L  e  m  m  a 

l|-  TRUE  IAI TRUE  for  any  program  A. 


ROD 


Ue  can  construct  a  proof  of  TRUE  C A } TRUE  by  using  the  rules  (01-05)  to 
generate  subgoals  starting  from  the  goal  TRUE  IAI TRUE.  Assume  a  list 
of  variables  r  ,  r  ,  r  ...  distinct  from  the  list  of  procedure  names 
1  2  3 

that  may  be  called  in  a  computation  of  A.  Subgoals  are  generated  by 
applying  the  rules  recuisively  as  follows  (D3  and  D4  are  equivalent 
t o  D3*  and  D4#l : 


(D2)  Subgoals  TRUE  IAI TRUE ,  TRUE (B1 TRUE 


TRUE  (AiBl TRUE 


(Dll 

Subgoa I 

TRUE  (B! TRUE 

(D3)* 

TRUEaP  (Bl TRUE,  f TRUEa-P) dTRUE 

Goa  1 

TRUE  (whi le  P  do  Bl TRUE 

(01 ) 

Subgoa  1  s 

TRUE  (Bl TRUE  TRUE (Cl  TRUE 

TRUEaP  IB) TRUE, TRUEa-P (C) TRUE 

(D4I  * 

Goa  1 

TRUE  (if  P  then  B  else  Cl  TRUE 

(D5 ) 

Subgoa 1 

TRUE  (K  (r  ) I  TRUE 

Goa  1 

TRUE  fpU:v)! TRUE 

where  K  Is  the  body  of  p  and  r  is  a  unique  variable  to  be 

P 

substituted  for  the  procedure  name  p  in  every  subsequent  subgoal  of 
the  goal.  The  procedu.  e  termin~tes  since  the  subgoa' s  in  each  of  the 
rules  D2  -  D4  are  shorter  than  the  goals,  and  D5  can  be  applied  only 
finitely  many  times  since  the  list  of  procedure  names  that  can  occur 
is  finite  end  one  of  these  names  is  eliminated  from  all  further 
subgoals  u*  a  goal  to  which  05  applies.  The  length  of  any  subgoa  I 
branch  is  bounded  by  2n I  where  n  is  the  number  of  procedures  that  can 
be  called  by  A  and  I  is  the  number  of  statements  in  A.  The  terminal 


subgoa Is  are  of 

t  wo 

kinds: 

TRUE  lx«- 

1 1  TRUE 

fax i oms) 

or 

TRUE  (r  ( x ; v ) 1  TRUE. 

The 

second 

k  i  nd  is 

the  assumption  for 

an 

P 

application  of  DS  to 

derive  a  goa 1 

below  it  f 

i .  e .  a 

goal  of  which 

I  t 

is  a  s  u  b  g  o  a  1 1  . 

Thus 

the  fina 

1  subgoal 

tree 

is  a  proof 

o  f 

TRUE  IAI TRUE. 


(e)  Plq(x;v)IP  is  provable  if  — '(xcVAR(P)) . 

This  follows  from  lemma  d  by  applying  the  adaptation  rule  (07): 


1. 

TRUE  (q (x; v) 1  TRUE 

lemma  d. 

2. 

TRUE  a (Vx)  (TRUEoP)  (q(xjv))P 

D7,l. 

3. 

P  ( q  ( x ;  v )  1  P 

Dl,2  since  x  do.is  not 

occur  in  TRLE  or  in 

P (by  assumpt ion). 

This  establishes  that  C2  can  aluays  be  replaced  in  a  CORE  proof  by  a 
derivation  in  Hoare’s  system.  To  eliminate  C6  from  a  CORE  proof  ue 
argue  as  follows.  Suppose  a  given  proof  contains  an  application  of 
ANP-CR,  without  loss  of  generality,  let  ue  say  it  is  the  final 
deduction.  Ue  show  that  this  occurrence  of  AND-OR  can  ce  either 
eliminated  altogether  or  “moved  up"  the  proof  tree  in  the  eenee  that 
it  is  replaced  by  an  AND-OR  application  to  the  promisees  of  the 
premisses  of  the  original  application.  This  givss  us  a  nsw  proof 
containing  only  expressions  that  are  in  the  old  proof.  Ue  show 
further  that  in  the  second  case  where  the  rule  is  "moved  up",  if  the 
moving  up  procedure  is  repeated  the  rule  will  never  again  need  to  be 
applied  in  any  new  proof  to  the  same  pair  of  premisses  it  was  applied 
to  originally.  Since  the  given  proof  contains  a  finite  number  of 
express i one  this  establishes  that  our  noving  up  procedure  terminates 
with  a  proof  in  which  all  applications  of  AND-OR  have  disappeared. 


(f)  LEMMA 

There  is  a  constructive  procedure  for  eliminating  applications  of  the 
AND-OR  rule  from  CORE  proofs. 

PROOF. 

Suppose  a  given  CORE  proof  contains  one  deduction  by  AND-OR  of  the 
form 

H1.H2  H3.H4  (rule  R) 

D.  I  J  (ANO-OR) 

K 


where  R  is  not  AND-OR. 

Ue  give  a  procedure  whereby  either 


(a) 

D  can  be  replaced 

by  a  deduction  of  K  from  axiome  by  the  rule 

of  consequence, 

or 

(b) 

0  can  be  replaced 

by 
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Dl. 


HI ’ , H3’  H2\H4’  (AND-OR) 


11 


J1 


(rule  R) 


In  case  (b),  for  i,  the  eubproof  Hi’  in  Dl  contains  only 
statements  occurring  in  the  eubproof  Hi  in  0.  Repeated  application 
of  the  procedure  cannot  result  in  (AN0-0R)  being  applied  to  the  pair 
I , J  of  premisses  again. 

Ue  note  that  sirce  the  same  program  part  must  appear  in  both 
premisses  of  an  application  of  AND-OR,  the  immediately  preceding 
ru'es  deducing  those  premisses  must  either  be  the  same  rule  R  or  one 
of  them  must  be  the  rule  of  consequence. 


Let  us  consider  the  AND-case  o,‘  this  rule  first, 
replacement  procedure  for  different  cases  of  rule  R: 


(i)  AXIOflS. 


Ue  give  the 


An  application  of  AND-OR  to  axioms 
x  x 

P|  (x«-e)P  R  |  (x»-elR 

e  e 


X  X 

P|  aR|  (x«-e)  PaR 
e  e 

is  eliminated  entirely  and  replaced  by  the  axiom 

X 

(PaR)  |  (x*-e)  PaR 

e 

Applications  of  AND-rule  to  frame  axioms  are  eliminated  eimilarly. 


(li)  CONSEQUENCE. 


An  occurrence  of  AND-OR  of  the  form 
P  (A) Q1 , QloQ 

P  (A)  Q  ,  RIA1S 
PaR  (A)QaS 


is  rep  I aced  by 


1 
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P  IAIQ1,  RIALS 

PaRIAIQIaS  ,  QIaSdQaS 
PaR  IA) QaS 

The  other  cases  (omitted)  are  similar. 


I  i  i  i  )  UK ( LE 


PaUIAIP.  (Pa-U)  oO 
P ( wh i I e  U  do  A) Q 


RaU  (A) R,  (Ra-U)dS 
R (wh i I e  U  do  A) S 


PaR luhi le  U  do  AIQaS 


is  rep  I aced  by 


PaUIAIP. RaU  (AIR 

IPaR) aU  IAI  (PaR)  .  (PaR) a-Uo (QaS) . 
PaR  Iwh i le  U  do  A) QaS 


(iv)  CONDITIONAL 


PaUIAIQ.  Pa-UIBIQ 


RaUIAIS,  Ra-UIB)S 


P(lf  U  then  A  else  B  Q.  Rdf  U  then  A  else  BIS 
PaR  I  i f  U  then  A  else  BIQaS 


is  rep  I aced  by 


PaUIAIQ,  RaU  IAI  S 
(PaR) aU  IAI QaS 


Pa-U  IB)  Q,  Ra-UIB)S 
IPaR) a-U IB) QaS 


PaR  I  i f  U  then  A  else  BIQaS 

Clauses  for  Composition  and  Substitution  are  similar  to  (iii)  and 
I  i  v)  and  are  omi tted. 

Iv)  PROCEDURE  CALL 


Procedure  p  has  body  Kip) 
P  (r )  Q  I!-  PIKIrDQ 


R  (r )  S  ||-  R  (K  (r ) ) S 


51 


PaR  Ip) QaS 


is  replaced  by 

P  (r  I  Q  |  |  -P  IK  ( r )  I  Q 


P(r2IQ 
tsubproof ) 
PIK(r2))Q 


RlrlSI  |  -R  IK  (r ) )  s 

R  Ir 2)  S 
[subproof] 
RIK(r2))S 


PaR  I r 2 ) QaS 


PaR  (K  ( r 2 ) )  QaS 


PaR Ipl QaS 

This  last  transformation  rule  requires  a  word  of  explanation.  In  the 
replacement,  the  AND-OR  rule  has  been  "pushed  up"  and  applied  to 
assertions  on  K(p)  instead  of  assertions  on  call  p.  The  procedure 
call  rule  is  now  applied  to  PaR  IK  ( r2)  t  QaS  so  that  the  relevant 
assumption  is  PARir2IQAS.  Subproofs  for  PIK(r2))Q  and  RIK(r2).)S 
have  to  be  appended;  the  given  procedure  rule  applications  ensure  the 
existence  of  these  subproofs.  For  example,  ue  know  there  ie  a 
subproof  of  P(K(r))Q  from  the  assumption  P  (r ) Q ;  an  application  of  the 
CALL  rule  allows  us  to  deduce  Plr2)Q,  where  r2  is  a  new  name  for 
procedure  p.  The  assumption  P  ( r )  Q  is  discharged  at  this  point.  Ue 
then  repeat  the  subproof  again  with  r2  replacing  r  everywhere. 
However,  no  assumption  is  necessary  in  this  repetition  since  Plr2)Q 
is  proved.  Thus,  the  complete  subproof  trees  for  the  premisses  of  the 
new  AND-OR  application  contain  copies  of  the  given  auxilliary 
subproofs  at  "assuiption  nodes".  The  statements  in  each  new  tree 
are  exactly  those  of  the  old  tree  except  possibly  for  r2  in  place  of 
r.  If  the  replacement  procedure  is  applied  to  thie  new  subproof  of 
PaR  IK  (r2 ) I QaS ,  the  AND-OR  rule  need  not  be  applied  to  the  same  pair 
ot  hypotheses  (with  r 2  for  p)  again  since  PaRIt2}QaS  is  now  assumed 
true. 

This  completes  the  description  of  the  replacement  procedure  for  AND*, 
the  OR  case  contains  almost  identical  clauses  except  that  the 
replacements  in  cases  (iii)  and  ( i  v )  contain  intermediate 
applications  of  consequence;  (PvR) aUo  (PaU) v (RaU)  . 

Ue  note  that  Lemma  f  shows  also  that  the  AND-OR  rule  can  also  be 
omitted  from  the  CORE.  In  the  presence  of  the  other  core  rules, 
ADAPTATION  may  be  replaced  by  the  FRAME  axioms.  The  previous 
discussion  may  be  summarized  by  the  following  theorems 

g.  THEOREM 

If  ||-  PIAIQ  then  PiA'IQ  is  provable  from  the  CORE  where  A’  is 
equivalent  to  A.  Conversely  if  P(A)Q  is  provable  from  the  CORE  then 
|  |  -  P  iAI  Q. 
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3.2  A  MOOEL  FOR  THE  CORE 

Ue  assume  given  a  standard  model  H  for  the  theory  T  of  the  trua 
Boolean  expressions  of  Pascal  and  a  set  J  of  procedure  definitions. 
Essentially  M  is  the  standard  model  for  arithmetic  possibly  augmented 
by  standard  models  for  data  types  other  than  the  integers.  The 
details  of  M  itself  do  not  concern  us.  Ue  show  how  to  extend  n  to  a 
model  M*  for  the  CORE. 

To  simplify  the  natation  we  assume  a  fixed  ordering  of  the  variables 
x  ( x  t x  t...  This  allous  us  to  represent  computation  state  vectors 

12  3 

over  the  domain  0  of  M  by  infinite  sequences  of  elements  of  D.  a- 
<a  .a  .a  ...>.  D#  shall  denote  the  set  of  all  such  sequences. 

12  3 

Intuitively,  state  a  assigns  the  value  or  interpretation  a  to  ^  » 

i  i 

this  is  denoted  by  (x  )  .  The  interpretation 

i  I 

or  value  t  of  Boolean  expressions  t  is  defined  in  the  usual  way  from 

standard  interpretation  of  the  orimitives  +,*,etc.  The  value  of  t 

applied  to  state  a  will  be  denoted  by  t^(a).  A  Boolean  expression 

of  n  variables,  say  P(x  . x  ),  is  interpreted  in  M  as  a  subset 

n  In 

P  of  D  .  Thus  P(x  . x  )  is  true  for  the  state  vector  a  if 

n  l  n 

<a  ....  a  P  . 

1  n  fl 

This  allous  us  to  extend  the  interpretation  of  P(x  .•••*  )  to  D*: 

1  n 


p  (x  . x  )  -  la  |  <a  . a  >eP  I . 

1  n  I  1  n  t1 


Moreover,  the  interpretation  of  substitution  instances  by  definition 
satisfies: 


ac  (P  (x  . x  )  |  )  <->  <a 

1  n  e  I  1 


,  a  ,e  (a), a  ...>cP(x  ...x  )  . 
i-1  I  i+1  1  n  I 


The  interpretation  jf  an  (m.n)-ary  procedure  is  a  partial  function 
n  n 

f  of  the  type  N  X  0  -  (0*  -  0*5  having  the  following  properties: 


1)  Frame  property: 


( f  ( i  (1 ) . i  { m ) ;  c  . c  )  (a) )  -  a  , 

1  n  j  j 

i  is  different  from  ilk)  for  any  k  such 


that  1  <  k  <  m. 


2)  Substitution  property: 


( f  ( i  ( 1 )  ,  . .  .  ,  i  ( m )  ;  c 

1 

-  (f  { j  (1) . j  (m); 

1  <  k  <  m. 


. . . ,  c  ) (a) ) 

n  i  C  k ) 

c  . c  )  (a) ) 

1  n  j  ( k )  , 


The  definition  of  f  proceeds  as  follous. 

Ue  define  by  cases  the  computation  sequence  F  ( A , a )  of  program  A 
relative  to  fl  given  input  a  as  follous. 

If  a  is  an  infinite  state  vector,  then: 

(i)  F  ( x  *-e ,  a )  =  <a  ,...,a  ,e  (a), a  ,...> 
i  1  i-1  I  i+1 

(it)  F (A; B, a)  =  F (A, a)  •  F (B . U  (A, a) ) 


|  F  ( A ,  a )  If  <a  ,...a  xP 
F(if  P(x  ,...x  )  then  A  else  B,a)  *  -|  1  n  I 

1  n  |F(B,a)  otherwise. 


(  i  v )  F  ( q  ( 2 ; t ) , a )  -  aaF (K (z; t) , a)  where  J  contains  a  defining  axiom 

for  q  of  the  form  Hq(x;v)  PROC 
K  ( x ; v ) "  and  K(z;t)  is  obtained 
by  sutstituting  the  actual 
parameters  z,t  for  the  formal 
parameters  x,v. 


Here  a®b  is  the  sequence  obtained  by  appending  b  onto  the  end  of  a. 


lend  state  of  F ( A , a )  if  F(A,a)  is  finite 

U(A.a)  =»  -I 

lundefined  otherwise. 


The  interpretation  of  program  A  is  now  defined: 

A  -  l<a,  b>  |U  (A,  a)  -  b) 

I 


and  fl  is  extended  to  fl*  by  adding  the  function  A  for  each  Pascal  CORE 
program  A,  1 

Ue  can  now  sau  when  a  statement  of  the  form  P  (A)  Q  is  true  in  fl* 
(denoted  by  fix  |-  P(A)Q): 


i^p*  • 


fl*  |*  PiAIQ  <«>  A  (P  )  c  Q  . 

Ill 

Finally,  a  statement  S(r  )  with  assumptions  A  (r 

1  m  11m 

A  (r  . r  )  where  r  . .  are  free  procedure  variables,  is  true 

n  1  m  1  m 

in  M*  if  and  only  if  the  following  condition  holds: 

If  A  (p  . p  ),...  A  (p . p  )  are  true  for  any  declared 

11  m  n  1  m 

procedure  names  p  . p  from  J,  e  a  u  h  p  having  the 

1  m  i 

same  arity  as  r  (1<  i  £  m) ,  then  S(p  ,...,p  )  is  true, 
i  1  m 


Hern  are  some  simple  properties  of  this  model: 

(i)  If  the  range  of  A  is  empty  then  for  any  P  and  □,  fl*  |  ■  PIAIQ 

1 

(ii)  If  fl*  |»  PIKIqllQ  then  fl*  |-PlqlQ  where  K  is  the  body  of 
procedure  q. 

(jii)  If  p  PROC  K(r)  and  q  PROC  K  { s )  and  r^c  s^then  p^cq^. 

(iv)  A  Boolean  assertion  is  true  in  fl*  if  and  only  if  its  universa 
closure  is  true  in  fl. 


To  show  that  H*  is  a  model  for  the  CORE  we  will  show  that  the  axioms 
are  true  in  fl*  and  that  each  of  the  rules  of  inference  preserves' 
truth  (i.e.  if  the  premisses  of  the  rules  are  true  in  fl*  then  so  also 
are  the  conclusions).  For  simplicity  we  consider  examples  o*  the 

axioms  and  rules  in  which  the  statements  have  one  free  variable 
(three  variables  for  the  substitution  rule)  and  in  which  the 
premisses  do  not  have  governing  assumptions  except  in  the  case  of  the 
recursion  rule;  the  argument  for  the  general  case  is  identical. 

Consider  first  a  typical  assignment  axiom  P(e)lx^«-  e)P(x^). 

Ue  note  that  (x  <-e)  »  i<a,b>:b«<e  (a), a  ,a  ,...>),  and  that 

1  i  12  3 

acP(e)  <  =  >  <e(a),a  .  ...xP(x  )  .  Thus  (x*-e)  ( P  ( e )  )  cP(x) 

1  2  11  1  I  1  I 

so  that  the  assignment  axiom  is  true  in  fl*. 

The  frame  axioms  are  clearly  true  in  fl*  *  i  f  P  does  not  contain  x^,  say, 

and  a , b  differ  only  at  the  first  position,  then  acP  <->bcP  .  If 

q  ( x  ,v)  changes  only  the  value  of  x  then  q  (P  ) cP  . 

I  1  I  I  I 
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Logical  theorems  are  true  in  fl*  since  th«U  are  true  ,n 
Procedure  declaration  axioms  are  aseumed  to  be  in  J. 

Ule  consider  next  the  rules  of  inference.  The  fact  that  Consequence, 
Composition  and  Conditional  all  preserve  truth  in  M*  can  be  shown  by 
elementary  set  theoretic  arguments  on  the  Interpretations  of  Boolean 
expressions  and  programs.  Simply  note  that  If  PbQ  is  true  in.fl*  then 
P  cQ  ,  that  (PaR)  -  P  n  R  ,  and  that  -R  -D*-R  . 

II  III  11 

The  arguments  are  as  foil ow s t 

CONSEQUENCE:  I  f  P  cQ  and  A  (Q  )  c  R  then  A  (P  )cR  . 

II  II  I  Ill 

CONPOS I T I  ON :  I f  A  (P  )  cQ  and  B  (Q  )  cR  then  B  (A  (P  ))  c  R  . 

II  1  II  I  1  1  1  B  1 

CONDITIONAL:  If  A  (P  0  R  )  cQ  and  B  (P  ft->R  )cQ  then  (If  R  then  A 

III  I  I  I  I  1 

e  I  se  B)  (P  ) cQ 

I  I  I 


SUBSTITUTION 

Consider  the  case  when  the  procedure  g(x  •  *  5  x  }  has  two  left 

X  c.  o 

pa-ameters  and  one  right  parameter  since  this  is  sufficiently 
general.  Let  q  have  body  K.  Assume  that  x^  and  x^  are  the  only 

variables  whose  values  can  be  changed  by  K  ,  and  that  x  is  the  only 

I  3 

value  that  its  computation  depends  on.  We  require  a  eimple  lemma 
which  may  be  proved  by  induction  on  the  composition  of  . 

h.  LENNA. 

For  any  a  if  K(x  ,x  :x  )  (a) -fc  and  K (x  x  ;x  )  (a)  -  c  then  b  -  c  and 
12  3  1  '•  j  3  1  1  ' 

b  ■  c  provided  i*j«*3. 

2  j 

Let  f.g  be  partial  functions  mapping  D*  into  D  such  that  K ( x  ^  *  X2  *  X  3 J  1 

(a)  =  < f (a  ).  g(a  ),a  ...>  and  hence  also  K(x  ,x  ;x  )  (a)  -  <a  ,a  ,a  , 
3  33  4531  l  t  J 

f  (a  )  gia  ),...>.  If  the  premisses  of  the  substitution  rule  are  true. 

3  3 

acPIx  x  x  )  implies  <f(a  ),g(a  ),  a  ,  ...>cQ(x  x  x  ) 

q  33  1231 


This  is  equ i  va I ent  to: 


<a  , a  ,a  >cP  implies  < f ( a  ),g(a  )«a  ><Q  • 

12  3  H  3  3  3  PI 

Suppose  bcP(x  .x  jx  )  so  that  <b  tb  «b  >tP  . 

4  5  3  1  4  5  3  II 

Then  <f(b  ),  q(b  ),b  >cQ  and  this  implies  that  K(x  ,x  jx  ) 

3  33h  4  5  3  1 

( b ) <  Q ( x  ,x  ;x  )  .  So  the  conclusion  of  the  L-rule  is  true.  On  the 

4’  5  3  1 

other  hand,  if  bcP<x  ,x  ;s(x  )  ) -.then  <b  ,b  ,s  (b  )>tP  and  therefore 

12  3  12  13  M 

<  f  ( s  (b  li.cjls  (b  )),b  >cQ  . 

13  13  3  n 

By  the  I emma  above. 

K(x  X  ; e  ( x  ))  (b)  -  <  f ( s  (b  ),g(s  (b  )),b  >  so  that  the 

12  3  1  13  13  3 

conclusion  of  the  R-rule  is  also  true. 

For  each  of  the  previous  rules  we  have  shown  that  truth  in  fl*  is 
preserved. 

The  case  of  the  recursive  procedure  call  rule  is  more  complicated  and 
depends  on  the  elementary  properties  of  H*  stated  above. 

PROCEDURE  CALL 

Ue  prove  that  any  proof  containing  applications  of  the  procedure  call 
rule  proves  a  statement  true  in  II*  if  all  premisses  of  the  proof  are 
true  in  M* .  Our  proof  is  by  induction  on  the  number  n  of 
applications  of  the  call  rule. 

Clearly  the  case  n-0  is  alre.'dy  proved.  Therefore,  assume  it  is 
proved  for  proofs  containing  n  call  rule  applications,  and  consider 
the  last  application  in  a  tree  uith  n+1 .  Suppose  this  has 
P (x; v)  Ip  (x; v) I Q(x; v)  as  conclusion. 

Ue  may  assume 

I.  if  11*  I-  Plxjv)  lr(x;v))Q(x;v) 

then  n*  I-  P<x;v)  (Klr))Q(x»v) ,  for  any  procedure  name  r, 

since  the  subproof  of  the  premiss  of  this  final  application  can 
itself  contain  at  most  n  occurrences  of  the  call  rule. 

Let  us  define  a  sequence  of  procedures  from  p: 

1  I  .  p 0 ( x ; v )  PROC  K (LOOP)  , 
p  m+1  { x ; v )  PROC  K (pm) 
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where  LOOP  is  a  procedure  that  never  halt6. 

CLAIM:  For  all  m,  M* | -P (k ; v)  (pm  (ki v 1 ) Q (xj v) . 

PROOF:  By  induction  on  m.  Clearly  the  claim  ie  true  for  m-0  by 

property  (  i  ) and  I  above. 


Suppose  fl*  j  -P  I  pm  I  Q.  Then,  substituting  pm  for  r 
M*  |  =P IK (pm) I  Q.  Therefore  H* | -P  lpm  +  1 ) Q  by  property 
the  claim. 


in  (1)  we  have 
( i  i )  .  This  proves 


Next  we  note  that  p  is  the  least  upper  bound  of  the  sequence  Kpm)}: 

I  1 


(1)  ( p8 )  c  (pi)  c  (p2)  c.. 

I  1  I 

(2)  For  al I  i  (pi )  c  p  . 


These  follow  by  induction  using  property  (iii). 

(3)  For  any  a,  if  p  (a)  is  defined  there  is  an  m  such 

1 

that  p  (a)  «  (pm)  (a) . 

I  1 

This  is  so  because  U(p,a)  -  U(pm,a)  for  any  m  such  that  m> |F (p.  a)  |  . 
the  I  ength  of  F (p, a) . 

From  the  claim  and  these  facts  we  conclude  p^(P^)cD^,  so  that  indeed 
M* | -P  (x; v)  (p (x: v) I Q ( x ? v) . 

Thus  we  have  established  the  following  soundness  theorem: 

(i)  THEOREM  If  P (A) Q  is  provable  in  the  CORE  then  P!A)Q  ie 
true  in  M*. 


3.3  RULES  FOR  VCG 

The  rules  V  used  by  VCG  to  generate  subgoals  and  u  1  "* te ' «  cpr0‘lucB 
verification  conditions  are  simple  combinations  of  the  CORE  rules. 
There  are  two  additions:  an  extension  to  ths  assignment  axiom  for 
the  case  when  assignment  is  made  to  an  array  element,  and  a  rule  for 
c,o  to  statements  provided  the  corresponding  labels  are  in  the  same 
procedure  (or  block).  A  rule  for  array  assignments  Mae  given  in  King 
1 1 9693  and  the  addition  of  a  go  to  rule  to  Hoare  s  system  ie 
considered  in  Clint  and  Hoare  11972].  Ths  extended  syeteme  C  and  H 
remain  relatively  sound  and  still  have  the  same  deductive  power  (i  * 


,  e. 
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Theorem  (g)  still  holds).  The  rules  for  VCG  are  given  in  Table  2. 
It  is  easily  checked  that  the  set  is  unambiguous  in  that  no  two 
conclusions  have  a  common  substitution  instance. 


VI.  SIMPLE  ASSIGNMENT 


P  (AIQ(e) 


P  (A;  x«-ei  Q  (x) 


V2.  ARRAY  ASSIGNMENT 


PIAIRiif  i-j  then  e  else  Bti] 


P  IA;  B  t  j ]  «-el  R  (B  t  i  ] ) 


V3.  CONSEQUENCE 


P^Q  ,  ( i  i )  PIA)Q,Q3R 


PINul  I )  Q 


PIAiQIR 


(Mi)  P(AIQdR 


P  I A ; Q- i f | R 


V  A .  ITERATION 


PIAIR,  RaSIBIR,  Ra-SsQ 


P  (Aj  Rj  uh i I e  S  do  BI Q 


where  R  is  an  assertion 


V5.  CONDITIONAL 


P  ( A ;  Q  -  i  f;BIR,  P  ( A ;  -«Q-  i  f  j  C)  R 


P  ( A ; i f  Q  then  B  else  C)R 


V6.  GOTO 


P  IA) ASSERT (L) 


P  IA j  GOTO  L)Q 


V7.  PROCEDURE  CALL 


U(x;v)  iq(x;v))U(x;v)  |  | - 


P  (A)  U  (a;  e)  nVa  (U  ( a }  e)  dR) 


P (A?  q (a j  e) )  R 


r 


V3  PROCEDURE  DECLARATION 


P  I  c,  ( x ;  v ) !  R  |  |-  PIAIR 


Plprocedure  q(x;v);A!R 


NOTATION: 

P,Q.R,S  are  Boolean  Assertions.  Null  denotes  the  empty 
program.  Q(e)  denotes  the  substitution  of  e  for  x  in  Q(x). 

th 

Bti]  denotes  the  i  element  in  array  B.  In  each  of  the  rules 
A  can  be  Null.  Q - i f  denotes  a  "marked"  Boolean  assertion  Q. 


TABLE  2  , 

ViRULES  OF  VCG 


The  rules  in  Table  2  are  stated  in  the  form  in  which  they  are  used  to 
generate  subgoals.  Thus,  for  example  in  the  case  of  the  assignment 
rule  VI,  the  axiom  Q  (e )  !x«-e)  Q  ( x )  is  omitted  from  the  premisses  since 
it  is  true  and  therefore  not  generated  as  a  subgoal.  The  composition 
rule  is  not  used  to  generate  subgoals  (it  would  be  a  source  of 
ambiguity)  but  is  included  in  the  other  rules.  VCG  does  not  require 
assertions  at  conditional  statements.  It  "marks"  the  conditional 
tests  in  the  subgoals  of  the  conditional  rule,  and  uses  them  as 
assertions  that  permit  a  slightly  different  ru  e  of  consequence.  The 
normal  rule  of  consequence,  V3 ( i i )  would  usually  lead  to  a 
verification  condition  of  the  form  QoR’  where  R’  is  some  formula 
involving  R.  Most  likely  the  proof  of  R’  would  depend  on  the  premiss 
P  and  in  such  a  case  CbR'  is  unlikely  to  be  provable.  (See  examples 
3  and  5,  Section  5). 

It  should  be  clear  that  any  statement  that  can  be  proved  in  V  can  be 
proved  in  C.  More  precisely: 

(j)  REMARK 

If  V  |  |  -P I Al Q  where  A  is  a  program  with  intermediate  assertions  then 
C  |  |  - P I A ’ ) Q  where  A’  is  an  equivalent  program  uithout  the  intermediate 
assertions. 

The  converse  of  remark  (j)  implies  the  deduction  completeness  of  V. 
To  prove  the  converse,  first  oerive  from  V  the  composition  rule  (C7) 
by  an  induction  argument  on  the  statement  length  of  B,  the  statement 
following  the  Rules  Cl,  C3,  C4,  C5,  and  Cl 0  are  straightforward 
to  derive.  Lemma  f  shows  that  CB  is  directly  derivable  in  C.  It 
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remains  to  derive  C  2 ,  C8t  and  C9. 

( C 2 )  Lemma  c,  holds  in  V  as  is  easily  checked. 

1.  TRUE  I  ci  (  x :  v )  I  TRUE 

2.  P  -  (TRUE  a  Vx  (TRUE  -  P) ) 

3.  P Inul I  I  TRUE  A  Vx ( TRUE  -  P) 

4 .  P  ! c)  ( x :  v )  )  P 


(CS)  1. 

o 

L.  • 

3. 

4. 

5. 

G. 


PaQ  IBI R 
P-  (Q-PaQ) 

P  I  nu  I  I  I  Q->PaQ 
P IQ- i f ) PaQ 
P IQ- i f ; B) R 
PI  if  Q  then  B 


Pa-QICIR 
P-*  ( ->Q-«Pa->Q) 

P  Inu  I  1 1  -'Q-*Pa-'Q 
P  l-Q-  i  f )  Pa->Q 
P l-Q- i f ; Cl R 
else  Cl R 


( C 9 )  1.  Plxsv)  (q(xjv)IR(xjv) 

2.  P  {  a :  e )  -♦  P(a;e)  a  Ya(R(aje)  -*  R(a,e)) 

3.  Plate)  (q  l a t  e) I R (a; e) 
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Lemma  d 
MxcVAR(P)  ) 
V3i  (2) 

V7  (1,3) 

Given 
Lemmas 
V3i  12) 

V  3 i i i  (3) 

C7  (4,1) 

V5  (5) 

Given 
Lemma 
V7  (1,2) 


ft* 


I 


A.  DESCRIPTION  OF  VCG 
A.  1  COMMENTS  ON  THE  RULES 
Array  assignment  and  go  to 


The  ru  e  V2  Tor  array  assignment  includes  the  usual  conditional 
substitution  operation.  This  rule  is  equivalent  theoretically  to  the 
techniques  jroposed  and  implemented  by  King  [19691  in  that  equivalent 
verification  conditions  result.  Our  rule  makes  the  conditional 
expressions  explicit  while  at  the  same  time  trying  to  keep  the  case 
analysis  under  control.  Though  our  rule  enables  us  to  verify 
programs  invo  v  i  ng  array  assignment,  we  canno'  state  which  array 
assignment  me  hod  is  preferable. 


The  go  to  rule  (V6) ,  following  Clint  and  Hoare  [1972],  ie  for  simple 
go  to  statements.  By  "simple"  ue  mean  jumps  which  stay,  for  example. 


within  t  n  p  current  block  or  procedure  definition.  The  rule  is 
included  so  that  a  useful,  but  restricted  class  of  go  to  statements 

processed. 


could  be 


Procedures 


H 


|  T 

J 


H  and  hence  V  place  several  restrictions  on  the  definition  and  use  of 
procedures.  F  rst ,  procedures  may  contain  no  global  variables.  This 
i5  on  I  r  a  conceptual  restriction*  Hoare  and  Uirth  [1972]  introduce 
the  notion  f  "implicit  parameter"  which  makes  each  global  variable 
into  a  parameter  ,  at  least  notat i ona I  I y.  Second,  a  key  distinction  is 
made  between  variable  (VAR)  and  value  (non-VAR)  parameters.  In 
brief,  assignments  to  variable  formal  parameters  affect  the 
corresponding  actual  parameters;  assignments  to  value  parameters  do 
not  (see  discussion  in  section  2.1).  The  notation,  following  Hoare 
[  1  3  7 1  a  1  ,  is: 


var i ab 1 e  value 

forma  1 

parameters  | 

X 

V 

ac'ual 

parameters  | 

a 

e 

u  Imre 

each  of  x,  v,  a 

,  and 

e  represents  a 

list 

of  parameters.  The 

two  restrictions  are 

that 

the  list  "a" 

must 

conta in  distinct 

i  d  e  n  t  i  f 

iers  and  that 

no  " 

a"  parameter 

may  appear  in  any  of  the 

express 

ions  of  the  " e "  1 

1st. 

The  last  restriction 

could  be  removed 

with  a 

slight  i  ncr ease  i 

n  the 

comp  1  ex i ty  of 

the  ru 

les  of  inference. 

Simple 

examples  suffice 

to  show  what  can  happen  if 

these  restrictions 

are  vio 

lated: 

a.  procedure  R(var  XI, X 2 

:  i  n 

t  e  g  e  r )  ; 

b  e  g  i 

n  XI  : =  2;  X2  :  - 

3  end 
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One  can  verify 

true  tboctyl  (Xl-2)  a  (X2«3) .  .  .  .. 

Tt  e  call  B ( A , A )  ,  which  violates  the  distinct  a  list,  will  yield 
true  leal  I  B(A,A)I  (A»2)a(A»3) 

an  impossibility. 

b.  procedure  C(var  X  :  integer;  V  ;  integer), 
begin  X  :=  V  +  1  end 


One  can  verify 

true  Ibodyl  X  «  V+ 1 .  .  __  ,,  _ 

The  call  C(A.A),  which  has  an  "a"  parameter  also  appearing  as  an  e 

parameter,  will  yield 

true  leal  I  C  (A , A ) I A«A+1 
another  impossibility. 


For  each  procedure  call  the  corresponding  procedure  declaration  is 
assumed  to  be  verified  as  stated  in  rule  V8.  The  hypothesis  °*  tf?® 
procedure  call  rule  is  thus  achieved  so  'he  procedure  call  rule  is 
applicable  to  both  recursive  and  non-recursive  declarations  alike. 
Recall  that  the  recursion  rule  (05),  i.e.  the  procedure  declaration 
rule  ( V  8 )  .  allows  the  desired  conclusion  to  be  used  as  an  assumption 
m  verifying  (the  body  of)  a  recursive  procedure  declaration. 

VCG  does  not  allow  a  component  of  an  array  as  an  "a"  parameter.  This 
restriction  is  implied  by  H  [Hoare  1971a.  p.  115.  last  paragraph). 
VCG  does  not  permit  the  names  of  procedures  or  functions  to  be 
(actual)  parameters;  th i s  cou I d  be  a  I  I  owed  i f  one  were  .to 
verify  separately  the  procedure  derimtion  for  each  call  involving 
procedure  parameters,  or  if  sufficiently  general  assertions  could  be 

supp I i ed . 

The  procedure  call  rule  (V7)  in  V  is  based  on  the  adaptation  rule 
(07 )  in  h.  Both  of  these  rules  provide  for  extreme  generality  at  an 
increase  in  complex' ty.  An  alternative  rule  is  used  in  Hoare  and 
Uirth  (1972)  which  treats  a  procedure  call  as  generalized  and 
concurrent  assignment.  That  is,  for  each  variable  parameter  x  a 
function  is  assumed  which,  given  the  entry  valuesof  the  parameters, 
computes  the  exit  value  of  x.  These  functions  accomplish  the 
general  ized  assignment. 


Funct i ons 


Four  of  the  rules  of  V  have  been  expanded  to  allow  function  calls  to 
occur  in  Pascal  expressions.  Function  calls  may  occur  on  y  in 

assignment,  conditional.  iteration,  or  procedure  ca  '  '  8 ta **men * 
Since  Pascal  functions  have  no  global  variables  and  no  AR 

parameters,  none  of  the  restrictions  needed  for  procedures  apply  m 
the  case  of  functions.  Recursively  defined  functions  are  alloued. 
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To  give  the  expanded  rules,  let  P  be  the  conjunction  of  the 
preconditions  of  all  the  function  calls  occurring  in  a  statement. 
Similarly  let  R  be  the  conjunction  of  the  results  (postconditions). 
The  expanded  rules  are 

assignment  Pa  (R-*S  (e )  )  lx  :■  e)S(x) 

where  P  and  R  include  any  function  call  if  x  is  an  array 
element 

conditional  Q-*P,  QaRaLMAIS,  QaRa-*U(B1S 


Q  ( i f  U  then  A  else  B)  S 

where  P  and  R  only  include  function  calls  in  U 
iteration  0-*P,  QaRaUIBIQaP,  QaRa->U-*S 


Q Iwh i I e  U  do  BIS 

where  P  and  R  only  include  function  calls  in  U 

procedure  P.G(x,v)  (G  ( x , v) I R. G ( x,  v) 

call  - 

Pa  (R-*P.  G.\Va  ( R .  G-»S ) )  (G(a,e))S 

Where  P  and  R  refer  to  the  function  calls  in  "e"; 

P.G  and  R.G  refer  to  the  procedure  G. 

function  l)(q(v))U  ||-  U  (A)  Ul 

declaration  - 

U l f unct ion  q  (v) ; A) U 

Each  of  the  first  four  rules  assumes  that  for  each  function  call,  the 
corresponding  function  declaration  is  verified  as  stated  in  the 
function  declaration  rule.  If  there  are  no  function  calls  in  a 
statement,  then  P  and  R  may  be  taken  as  "TRUE".  In  such  cases  the 
expanded  rules  reduce  to  the  original  rules.  VCG  actually  omits  such 
vacuous  P  and  R  terms.  (The  definition  of  P  and  R  as  conjunctions 
means  some  loss  of  generality  if  nested  function  calls  occur  such  as 
in  V  :=  G(HIX)).  A  more  complicated  definition  of  P  and  R  is  knoun 
for  such  cases  but  it  is  not  implemented.) 

Questions  such  as  array  bounds  and  division  by  zero  can  be  handled  by 
treating  each  such  operation  as  an  appropriate  precondition  of  a 
function. 


4.2  A  RECURSIVE  DEFINITION  OF  VCG 


The  operation  of  the  verification  condition  generator  is  described  by 
the  following  equations.  Let  H(P,B,R)  denote  the  LIST  of 
verification  conditions  for  the  formula  P(B)R  uhere  B  is  an  asserted 
Pascal  program  and  where  P  and  R  are  assertions.  H(P,B,R)  is  given  by 
cases  on  the  form  of  B.  "A"  denotes  al  I  but  the  last  statement  of 
B,  denotes  the  append  operation  on  lists,  "car"  and  "cdr"  denote 
the  list  operations  of  first  and  rest,  and  " t "  is  the  Pascal 
composition  connective. 


assignment(Vl) 

H  IP, 

A ;  x «-  e ,  R  (x) )  -  HIP.A.RIe)  ) 

array 

HIP. 

A ;  c  I  j]  *-e,  R  I c  t  i  1  )  )  ■ 

assignment  (V2 

) 

H  IP, A,R I i f  i - j  then  e  e  1 

nul  1  I V 3  I  i ) ) 

H  IP, 

null,  R )  »  P  "*  R 

asser  t  I V 3  I  i  i  )  ) 

HIP. 

Aiassert  □,  R)  ■  HIP.A.Q)  » 

i t  er  a  t i on  I V4 ) 

HIP, 

A; assert  Q; while  S  do  C,  R) 
HIP.A.O)  a  HIQnS.C.Q)  a 

conditional 

HIP, 

A;  i  f  S  then  C  else  D,  R)  - 

( V5  and  V2 ( i i i ) ) 


H(P, A, car (H(S.C.R) ) lacdr (H  (S.C.R)  )• 
H(P,A,car (H (-S ,  D , R ) ) lacdr  C  H ( — S , D , R ) ) 
where  a  missing  "else"  means  D  is  nul 


go  to(VG)  H (P,  A ; go  to  L,  R)  -  H (P ,  A ,  as ser t i on  at  L) 

procedure  H(P,  A;q(a,e),  R)  •  H  (P ,  A,  U  I  a ,  e)  nVa  (W  (a,  e) -*R  (a,  e) )  ) 

call  ( V 7 )  uhere  UIx, v)  Iq (x, v) ) U (x, v)  is  an  assumption 

for  the  procedure  q 

procedure  HIP,  procedure  q(x,v);C,  R)  -  H(P,C,R) 

dec  I arat i on  (V8)  uhere  Plq(x,v))R  ij  assumed  in 

evaluating  H  (P, C, R) 


compound 


HIP,  A;begin  C  end,  R)  ■  HIP,  A;C,  R) 


The  equations  for  defining  HIP, A , R )  may  be  explained  by  the 
following:  An  asserted  Pascal  program  is  recursively  processed 
top-down  from  the  outermost  syntactic  structure  to  its  innermost 
constituents.  The  constituents  of  a  compound  statement  are  processed 
starting  with  the  last  constituent.  Accordingly,  there  is  a  unique 
rule  of  inference  that  is  applicable  to  each  constituent.  Each  rule 
of  inference  is  applied  in  the  reverse  sense  from  its  use  in  a  formal 
derivation.  Thus,  from  the  desired  conclusion  the  appropriate 
premises  are  generated  as  subgoals  to  be  processed  recursively.  The 
two  assignment  rules  and  go  to  rule  are  each  applied  directly  by 
computing  the  assertion  on  the  right  of  the  premise  from  the 
assertion  on  the  right  of  the  conclusion.  The  procedure  call  rule 
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works  somewhat  analogously:  the  assertion  on  the  right  of  the 

premise  is  computed  from  the  assertion  on  the  right  of  the  conclusion 
and  from  the  two  assertions  of  the  hypothesis.  In  all  cases  this 
means  VCG  uses  what  is  called  "backward  substitution"  by  King  119591  , 
that  is  VCG  works  backwards  (opposite  to  the  execution  direction) 
through  tne  program. 

That  this  ic  possible  is  far  from  accidental:  Hoare  and  Uirth  (1972, 
p.  13)  state.  "The  rules  of  inference  are  formulated  in  such  a  way 
that  the  .  .  .  process  of  deriving  necessary  properties  of  the 
constituents  from  postulated  properties  of  the  composite  statement  is 
facilitated.  The  reason  for  this  orientation  is  that  in  deducing 
proofs  of  properties  of  programs  it  is  most  convenient  to  proceed  in 
a  ‘top-down’  direction." 

Ulhile  the  notion  of  "a  path  between  assertions"  is  not  an  exrlicit 
part  of  VCG,  the  recursive  processing  of  subgoals  implicitly  computes 
all  the  required  paths  between  assertions.  Each  resulting 

verification  condition  covers  one  such  path. 

A  Pascal  source  program  consists  of  zero  or  more  procedure 

definitions,  zero  or  more  function  definitions,  and  a  9  ingle  main 
program.  VCG  produces  a  separate  set  of  verification  conditions  for 
each  procedure  definition,  each  function  definition,  and  the  main 
program .  if  P  represents  the  initial  assumption  (entry  assertion) 
for  a  unit  and  if  R  represents  the  desired  result  (exit  assertion) 

from  that  unit,  then  the  verification  conditions  are  computed  from 

P  (procedure  body)  R 
P  (function  body)  R 
P  Imain  program)  R 

e  assertion  R  must  be  present:  if  P  is  missing,  the  assertion 
UNRESTRICTED"  is  assumed  which  is  a  synonym  for  "TRUE".  Since 

Jascal  returns  a  function  value  by  assigning  the  value  to  the 
function  identifier  (as  in  Algol),  the  exit  assertion  must  be 
modified  by  deleting  the  arguments  from  the  defined  function  name. 
This  is  necessary  in  order  that  the  assignment  rules  work  properly. 

To  illustrate  the  equations  for  defining  H(P,A,R)  two  examples  are 
given.  The  first  shows  the  subgoal ing  process  on  the 
Quotient-Remainder  algorithm  of  Examples  1  and  2  where  the  while 
statement  has  been  replaced  by  an  equivalent  go  to  construction. 

Goal.  true  I  r-x ; q-0 :  10:assert  x  »  r  +  y  *  q ; 

if  y<r  then  begin  r«-r-y; 

q-l+q;  go  to  10  end) - ( y <r ) a ( x-r +y*q ) 

Only  V5  is  applicable  to  the  goal;  first  the  arguments  of  the  two 
cars  are  computed. 
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Subgoal  1. 


y<r  (r«-r-y j  q*-l  +  q;  go  to  181 

-1  (y£r )  a  (x-r  +  y*q)  V5(Goal) 

Subgoal  2.  - (y<r )  (nu I  1 1 - (y<r) a (x-r+y#q)  V5(Goa  .missing  else) 

Argument  1.  -  ( y<r )  (y<r )  a  (x-r+y*q)  V3i (Subgoal  2) 

Subgoal  3.  y<r  (r<-r-y;  q*-l+q;  1  x-r+y*q  VGfSubgoal  1), 

assertion  at  10 
is  x-r+y#q 

Subgoal  4.  y<r  (r*-r-yl  x-r+y#(l+q)  VI  (Subgoa  I  3) 

Sub goal  5.  y<r(nulllx»(r-y)+y*(l+q)  VltSubgoal  4) 

Argument  2.  y<r->x  =  (r-y)  +y#  (1+q)  V3i(Subgo?l  S) 

Hence  the  appl ication  of  VS  to  the  Goal  requires,  since  the  cdr  terms 
e  null, 

Subgoal  G.  t  r  ue  Ir  *-x ;  n*-0;  asser  t  x-r+y#q) 

-  (y<r )  -»->  (y<r )  a  (x«r+y*q)  V5  (Goa  I )  ,  argumen  t  1 
Subrjoal  7.  true  lr«-x ;  q«-0;  asser  t  x-r+y#q) 

y<r->x-  (r  -  y)  +y><  (1  +q)  V5  (Goa  I  ),  argument  2 

Lemma  3.  x»r  +  y*q-*-'  (y<r )  ( yir )  a  ( x-r+y*q)  V  3  i  i  (Subgoal  G) 

Lemma  2.  x«r +y*q-y<r-*x«  (r-y)  +y*  (1+q)  V3  i  i  (Subgoal  7) 

Subgoal  8.  true  (r-x; q-01  x-r+y#q  V3 i  ;  (Subgoa  I  s  6,7) 

Subgoal  3  tr  ue  lr*-xl  x-r+y*0  VltSubgoal  8) 

Subgoal  10.  tr ue  (nu I  I  I x»x  +  y*0  VltSubgoal  9) 

Lemma  1.  true-*x«x  +  y*0  V  3  i  (Subgoal  10) 

EXAMPLE  4:  SUBGOALING  ON  QUOT I tNT-REMA I NDER  WITH  A  GO  TO  CONSTRUCTION 

After  logical  simplification  the  three  iemmas  in  Example  4  are 
identical  to  the  lemmas  in  Examples  1  and  2.  The  second  example, 
taken  from  Hoare  [1971a),  shous  the  subgoal ing  process  on  a  recursive 
procedure  for  computing  the  factorial  function. 

Goal.  a>0 (procedure  facttvar  r: integer,  a: i nteger ) I r-a ! 

Subgoal  1.  a>0  (f act (r , a) ) r-a  !  ||- 

a  >  8  ( i  f  a-0  then  r*-l  else 

beg  in  f act (~ , a-1 ) ; 

r*-a*r  endlr-a!  V8(Goal) 

Only  V5  is  applicable  to  -ubgoal  1;  first  the  arguments  of  the  two 
cars  are  computed. 

Subgoal  2.  a-0  (r«-l  I  r»a 1  V5(Subgoal  1) 

Subgoal  3.  -  ( a-0)  ( f  ac  t  (r ,  a- 1 ) :  r  *-a#r  I  r-a  1  V5(Subgoal  1) 

Subgoal  4.  a-0  Inu I  M  1 -a 1  VltSubgoal  2) 

Argument  1.  a  =  0 - 1 -a 1  V3i  (Subgoal  4) 

Subgoal  5.  - (a -0)  I  f ac t (r , a-1 ’ ) a#r-a !  VltSubgoal  3) 

Subgoal  G.  -  ( a-0 )  (nu  I  1 1  (a- 1  >8)  AVr#  (r#» (a- 1 )  !  -*a*r  fl-a  1  ) 

V7 (Subgoa I  5 , 
assump t i on  of 
Subgoa  I  1 ) 

Argument  2.  -  (a-0)  -•  (a-1  >0)  AVr#  (r#- (a-1 )  !  -*a*r#-a  1  ) 

V3 i  ISubgoa I  G) 

Hence  the  appl ication  of  VS  to  Subgoal  1  requires,  since  the  cdr 
terms  are  null. 

Subgoal  7.  a>0  I  nu  I  I  I  -  (a-0 )  -» ( a-1  >9!  AVr  U  (r  A-  ( a-1 )  1  -*a#r  #■  a  1  ) 

V5(Subgoal  1),  argument  2 


Lemma  2.  a>0-*- ( a=0)  -*  ( a-1  >0 )  /\Vr#  ( r#- (a-1 )  1  -*a*r#-a  ! ) 

V3 i (Subgoa I  7 ) 

SutKjoal  8.  a>0  (null  I  a-0-*l«a  '  V5(Subgoal  1),  argument  1 

Lemma1.  a>0-<a*0-*l«a!  V3i  (Subgoal  8) 

EXAMPLE  5:  SUBGOAL  I NG  ON  THE  FACTORI  AL  PROCEDURE 

4.3  SPECIFIC  IMPLEMENTATION  OF  VCG 

The  verification  condition  generator  is  written  in  MLISP2  [Smith  and 
Enea  19731,  a  version  of  Lisp  which  has  an  Algol-like  syntax  and  an 
extendable  parser.  Writing  BNF  —like  syntax  equations  and  associated 
semantics  for  each  equation  permits  the  rapid,  easy  construction  of  a 
parser  for  Pascal  source  programs.  The  parser  handles  all  details  of 
scanning  such  as  creating  identifiers  and  numbers  from  individual 
characters,  recognizing  delimiters,  and  processing  blanks.  The 
parser  produces  a  list-structured  representation  of  the  Pascal  source 
in  which  all  statements  and  expressions  are  converted  from  infix  to 
prefix  notation. 

The  generator  is  a  loop  each  cycle  of  which  processes  one  of  the 
subgoa  I  s  of  the  form  PIAIR.  This  loop  repeatedly  determines  for  each 
subgoal  the  single  next  applicable  rule  of  inference  and  applies  it 
to  the  subgoal.  As  new  subgoals  are  created  they  are  stacked.  The 
result  is  a  list  of  verification  conditions  for  the  input  Pascal 
source  program. 

Tables  3  and  4  give  more  detailed  information  on  the  subset  of  Pascal 
which  VCG  processes. 

statements  implementation  status  and  comments 


left  hand  side  must  be  either  an 
identifier  or  a  1-dimensional  array 
element 

there  must  be  at  least  one  actual 
parameter  (a  zero  parameter  call  is 
no  use  without  global  variables); 
restrictions  on  actual 
parameters  apply 
no  restrictions 
no  restrictions 

not  implemented  -  no  problems  forseen 
no  restrictions 

not  implemented  -  no  problems  forseen 
not  implemented  -  revised  Pascal 
has  a  changed  definition  of  the  for 
statement  and  a  new  rule  of  inference 
not  implemented 

a  label  may  appear  at  most  onco  in 
the  entire  source  program;  go  to's 


assignment 
procedure  call 


compound 

if-then-else  and  if-then 

case 

while 

repeat 

for 


with 
go  to 
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may  only  be  "local"  jumps  within  a 
b I ock . 

deleted  by  parser 

TABLE  3:  PASCAL  STATEMENTS  IN  VCG 


other  syntactic  units  implementation  status  and  comments 


procedure  and  function 
definitions 

variable  and  1 -d  i  mens i ona  I 
array  declarations 

formal  parameter  declarations 

const  declarations 

type  declarations 

expression 


pointer,  set.  scalar,  record, 
file 

constant 


no  global  variables  permitted 

syntax  implemented;  not  further 
included  in  verification  conditions  - 
no  problems  forseen 
crucial  to  operation  of  procedure 
call  rule 

not  implemented  -  no  problems 
forseen 

not  implemented  -  problem  status  not 

clear 

no  restrictions;  augmented  to  allow 
assertions  to  include  quantifiers 
{ V ,  3 )  .  implication  (•♦,:>),  and  a 
second  type  of  conjunction  (&)  (v  and 
a  are  already  in  Pascal);  &  is  used 
to  conjoin  assertions  user  fewer 
parentheses  than  a  requires 
not  implemented  -  some  problems 
expected 

integer  only;  no  real  numbers  or 
strings 


TABLE  4;  OTHER  SYNTACTIC  UNITS  IN  VCG 


Tie  substitution  done  in  the  assignment  rules  (V2  and  V3)  need  not 
check  for  a  variable  becoming  bound  by  the  substitution  because  of 
three  circumstances.  First,  by  convention  all  quantified  variables 
In  the  supplied  assertions  are  assumed  to  be  distinct  from  the 
program  variables.  Second,  the  bound  variables  introduced  by  the 
procedure  call  rule  (V7)  are  distinct  from  the  program  variables 
because  such  introduced  bound  variables  all  contain  the  character  tt 
while  no  program  variable  (or  supplied  assertion  variable)  may 
include  a  "  # " .  Third,  these  are  the  only  occurrences  of  quantifiers. 

The  existential  quantifier  in  the  adaptation  rule  (D7)  can  be 
eliminated  similarly  by  notation  conventions. 

VCG  makes  very  few  checks  on  its  input.  The  major  assumption  is  that 
the  source  program  obeys  all  the  restrictions  of  the  Pascal  language. 
Uhile  these  restrictions  could  relat'vely  easily  be  checked,  they  are 
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not  s  i  nc<:  it  is  reasonable  to  assume  that  all  input  has  been 
processed  by  a  Pascal  compiler.  There  are  additional  restrictions  on 
the  source  program  imposed  by  V.  Since  these  might  also  be  enforced 
by  an  augmented  compiler,  little  effort  was  expended  in  this 
direction  in  VCG.  Another  simplifying  and  unchecked  assumption  is 
that  a  source  program  does  not  contain  duplicated  variable  names?  the 
introduction  of  fresh  variables  for  duplicated  names,  using  the 
declaration  rule  (08),  uill  remove  this  restriction. 

4.4  TERMINATION  OF  THE  TOP  LEVEL  OF  VCG 

The  essential  reasons  why  VCG  terminates  are  as  follows?  All  rules 
except  the  cond  tional  rule  generate  one  or  tuo  subgoals  as  they 
process  a  goal  each  with  fewer  statements.  The  conditional  rule 
generates  two  3ubgoals  each  including  a  set  of  statements  from  just 
before  the  if  statement  back  until  an  assert  statement  is  reached 
such  that  this  assertion  is  at  the  same  "indentation  level"  as  the  if 
statement.  But  even  this  process  is  "decreasing"  since  any  further 
replication  of  subgoals  will  be  bounded  by  the  same  assert  statement. 

The  existence  of  the  assertion  needed  for  the  conditional  rule 
follows  since  each  subgoal  is  well-formed,  i.e.,  there  is  an 
assertion  at  least  at  the  start  of  each  subgoal.  Recall  the 
inclusion  of  "UNRESTRICTED"  if  needed.  No  claim  is  made  that  the 
recursive  manipulation  of  the  expressions  in  the  assertions  uill 
always  terminate,  but  this  is  separate  from  the  termination  of  the 
top  level  of  VCG. 
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5. 


EXAMPLES 


5.1  FACTORIAL  AS  A  FUNCTION 

This  example  shows  the  factorial  function  written  ae  a  Pascal 
recursive  function.  The  next  example  illustrate*  the  factorial 
function  written  as  a  Pascal  recursive  procedure.  Upper  case  ‘FACT* 
denotes  the  program  and  lower  case  ’factorial  denotes  the 
ma them.' ti cal  object  usual  I y  denoted  by  !.  Except  for  a  ‘change  of 
notation*  the  verification  conditions  are  the  same  in  both  examples. 

PASCAL  EXIT  ARBITRARY! 

FUNCTION  FACT (N: INTEGER) : INTEGER! 

ENTRY  N>0i  EXIT  FACT  IN)  -  Factor  i a  I  (N) ; 

BEGIN  IF  N  -  0  THEN  FACT  ♦-  1  ELSE  FACT  *-  N  *  FACT (N-l )  END; 
BEGIN  X  -  X  END.: 


PASCAL  PROGRAM  SUCCESSFULLY  PARSED 
FOR  FACT  THE 

2  VERIFICATION  CONDITIONS  ARE: 

tt  1  N>0-N=0 

1  -Factor  I  a  I  (N) 
tt  2  N>0-»- (N-0) 

(N-l  >0)  a  (FACT  (N-l) -Factor  ial  (N-1)-»N*FACT  (N-l) -Factorial  (N) ) 

FOR  THE  MAIN  PROGRAM  THE 
1  VERIFICATION  CONDITIONS  ARE: 

tt  1  UNRESTRICTED 

-4 

arbitrary 
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5.2 


FACTORIAL  AS  A  PROCEDURE 


See  comments  for  previous  example. 

FASCAL  ENTRY  B>0:  EXIT  C  =  Factor!  a  MB); 
PROCEDURE  FACTIVAR  R: INTEGER;  A;  INTEGER) ; 
ENTRY  A  >  0;  EXIT  R  =  Factor ial  (A) ; 

BEGIN  IF  A  =  0  THEN  R  <-  1  ELSE 

BEGIN  FACT  (R.  A— 1 ) ;  R  «-  A*R  ENO 

END; 

BEGIN  FACT  (C. B)  ENO. ; 


***** 

PASCAL  PROGRAN  SUCCESSFULLY  PARSED 


FOR  FACT  THE 

2  VERIFICATION  CONDITIONS  ARE: 


U  1  A20-A-0 

1  -^Factor  i  a  I  (A) 

U  2  A>0—  (A=0) 

(A-l  >0) aVR#  (Rtf=Factor  i  a  I  (A-l )  -*A*R#«F  actor  i  a  I  (A) ) 

FOR  THE  MAIN  PROGRAN  THE 
1  VERIFICATION  CONDITIONS  ARE: 


«  1  B>0 

(B>0)AVC#(C#=Factor  ial  (B) -*C#-Factor  ial  (B) ) 
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5.3 


INTERCHANGE  SORT 


This  example,  taken  from  King  [1969],  sorts  by  successively  finding 
the  smallest  element  of  the  a*ray  A.  The  assertions  include 
provision  for  showing  that  the  array  A  at  the  exit  is  a  permutation 
of  the  array  A  at  the  entry.  The  entry  array  is  denoted  by  the  array 
name  A0.  The  assertions  contain  two  definitions. 
SAMESET  (A,  A0,  A  [arb  I  trary] )  denotes  that  A  and  A0  are  the  same.  set  of 
elements  including  repetition.  The  term  Atarbitrary]  is  a  trick  to 
allow  VCG  to  check  that  an  array  is  unaltered  over  a  path  between 
assertions.  The  trick  is  needed  because  array  substitution  is  done 
by  array  element,  not  by  array  name.  The  second  definition  is  for 
MULTISET (A, A0, J.K.L.M)  where  K  and  fl  denote  array  elements  of  A,  and 
J  and  L  denote  subscripts  of  A.  MULTISET  denotes  that  A  and  A0  are 
the  same  set  of  elements  including  repetition  even  if  J:«K  and  L:«f1 
are  simultaneously  done.  Thus,  e.g., 

MUL  T I SE ! <  A , A0 . J , A  [  J] , LOC ,  A  HOC] ) 

and 

MUL T I SE  T ( A . A0 , J , A  ILOC] , LOC, A  I J] ) 

both  are  true,  but 

MULTISET  l  A . A0, J, A [J] . J+l,  A  [J] ) 

is  not  true  generally. 

This  asserted  program  and  resulting  verification  conditions  were  the 
initial  input  to  the  A I  I  en-Luckham  theorem  prover  when  it  was  able  to 
discover  the  verification  condition  which  could  not  be  proved. 

PASCAL  ENTRY  N  >  l&SAMESET (A. A0, A [ARBI TRARY] ) ; 

EMT  VK(  (1<K)a(K<N-1)  a  A  IK]  <A  [K+l] )  SSAMESET  (A,  A0,  A  [ARBITRARY] )  i 

BEGIN  J— f  1 : 

ASSERT  VK(  (J+1<K)a(K<N-1)  a  A  [K]  <A [K+l  ] )  & 

VM  (  ( 1  <M)  a  (I1< J)  a  ( J<N-1 )  o  A  [M]  <A  [J+l ] )  & 

1<JSJ<N  S  MULTISET (A. A0, J+l , A [J+l] , LOC, A [LOC] ) ; 

WHILE  J  >2  00 
BEGIN 

BIG  -  All]  ;  LOC  -  1;  I  *■  2; 

ASSERT  YK((J+1<K)a(K<N-1)  o  A  [KJ <A [K+l] )  S 

VL((1<L)a(L<I-1)a(I-1<N)  3  A [L] <BIG>  & 

Yfl  (  (1  <f1)  a  (M<  J)  a  ( J<N— 1 )  o  AimsAU+11)  & 

BIG=A  [LOCI  <S1<L0CSL0C<JSI  >2  S 
2<JSJ<N  S  SAMESET (A, A0, A [ARBITRARY])! 

WHILE  i£j  DO 

BEGIN  IF  A  [I ] >BIG  THEN 

BEGIN  BIG-ACI1 1  LOC-I  END; 

I -I  +1 
END; 

A [LOCI  -  A  [J] ! 

A [J]  -  BIG: 

J-J-l 
END 
END.  ; 
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***** 

PASCAL  PROGRAM  SUCCESSFULLY  PARSED 


FOR  THE  MAIN  PROGRAM  THE 
G  VERIFICATION  CONDITIONS  ARE: 


ti  1  N;1<SSAMESET  (A,  A0,  A  [ARBITRARY] ) 

VK  ( (N+l <K) a (K<N-1 )oA [K] <A  [K+l] )& 

VM ( ( 1 <M)  a (M<N)  a  (N<N-1 )  oA  [M]  <A  IN+13 )  &l<N&NsN& 

MULTISET (A,A0,N+1,A  [N+l] ,LOC,AtLOC] ) 

Note:  A  [N+ll  is  undefined  and,  since  LOC  is  undefined,  eo  is  A  [LOC] . 

Nevertheless,  by  convention  this  MULTISET  term  may  be  considered  true. 

ti  2  ( VK  (  ( J+l <K) a(KsN-1 ) oA  IK] <A  [K+l]  )SVM(  (IsH) a (MsJ)  a (JsN-  )dA  [fl]  SA  [J+l]  )& 

1  < J& JsN&MUL  T I SE  T  ( A ,  A0 ,  J+l ,  A  [J+l  ]  ,  LOC ,  A  [LOC] ) )  a  ( J*2) 

VK((J+1<K)a(K<N-1)dA[K]<AIK+1]  )& 

VL((1<L)a(L<2-1)a(2-1<N)oA  [L]<A(l])SVM((l<mA(MsJ)A(JsN-l)DA[m<A[J+l]  )& 

A  [1  ]  =A  [1  ]  SI <1S1 <JS2>2S2<JSJ<NSSAMESET (A, A0,  A [ARBITRARY] ) 

ti  3  ( VK  ( (J+liK) a(K<N-1)dA[K]<A[K+1])SVL((1<L)a(L<I-1)a(1-1sN)dA[L]<BIG)& 

VM  ( ( 1  <M)  a  (M< J )  a  ( J<N— 1 )  dA  CM]  sA  [J+l] ) &BIG-A  [LOC]  SlsLOC&LOCsJ&I  *2&2sJ&J<N& 

SAMESET (A, A0. A  [ARBITRARY] ) )n(ISJ)+A[I] >BIG 

VK((J+1cK)a(K<N-1)dA[K]  sA[K+1])4YLU1sL)a(LsI+1-1)a(I+1-1sN)3A  [L]  <A  [I  ]  )& 

VM  ( ( 1  <M)  a  (M<J)  a  ( J<N-1 )  dA  [M]  SA  [J+l]  )&A  [I ] -A [I ] 41sl &I  SJ&I  +l£242sJ&JsN& 

SAMESET (A. A0, A  [ARBITRARY]) 

ti  4  (VK  ( ( J+l <K)  a  (K<N-1 )  dA  [K]  <A  IK+l] ) &VL ( (lSL)  a(LsI  -1)  a(1  -IsN)  dA  [U  SBIG)  & 

VM  ( (1  <M)  a  (M<J)  a  (J<N-1)  dA  [M]  <A  [J+l] ) ABIG-A  [LOC]  SlsLOC&LOCsJ&I  *2&2sJ&JsN4 
SAMESET  (A,  A0.  A  [ARBI  TRARY] ) )  a(IsJ)-»-(A  til  >BIG) 

-♦ 

VK  ( ( J+l  <K)  a(K<N-1)oA  [K]  <A  [K+l]  )&YL  ( (1<L)  a(LsI+1-1  )  n  ( I+l-lsN)  dA  [LI  <BIG)  & 

VM  ( (1  <M)  A (MsJ)  A ( J<N-1 ) dA  [M]  <A  [J+13  JSBIG-A  [LOC] &1  <LOC&LOCs J& I + 1  Z2&2 < J&J<N& 

SAMESET  (A. AC, A  [ARB I TRARY] ) 

ti  5  (VK  (  (J+i<K)  a(K<N-1)oA[K]  <AIK+1]  )4VL(  (IsL) n(L<l -1) n (I -IsN) dA [L] <BIG) & 

VM  ( ( 1  <M)  a  (Ms  J)  a  ( J<N — 1 )  oA  [M]  <A  [J+l  ] )  SB  I G-A  [LOC]  SlsLOC&LOCsJ&I  z2&2<  J&J<N& 

SAMESET (A . A0. A  [ARBITRARY] ) ) a— ( I  < J) 

VK((J-1+1<K)a(K<N-1)o  IF  J-K  THEN  BIG  ELSE  IF  LOC-K  THEN  a [j]  ELSE  AIK]  s 
IF  J=K+1  THEN  BIG  ELSE  IF  LOC-K+1  THEN  A [J]  ELSE  A [K+l]  )& 

VM(  (1  <M)  a  (MiJ-l )  a(  J-1<N-]  )d  IF  J«M  THEN  BIG  ELSE  IF  LOC-M  THEN  A  [J]  ELSE  Aims 
IF  J.J-1+1  THEN  BIG  ELSE  IF  LOC-J-1+1  THEN  A [J]  ELSE 
A [ J-l +1 ]  ) SI < J-l&J-l <NS 

MULTISET  (A.  A0.  J-l  +  1,  IF  J-J-l+1  THEN  BIG  ELSE  IF  LOC-J-1+1  THEN  A  [J]  ELSE  AIJ-1+1], 
LOC,  IF  J=LOC  THEN  BIG  ELSE  IF  LOC-LOC  THEN  A IJ]  ELSE  A [LOCI  ) 
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tt  s  (VK  ( ( J+1<K) a(K<N-1)dA  tKJ  <A  [K+l]  )4Vt1(  (lsfl)  a(MsJ)  a(JsN-1)3A  [Ml  sAU+1]  )4 
1  <  J4J<N&riULT !  SET  (A,A0,  J+l ,  A  [J+l] , LOC ,  A  [LOCI ) )  a-( J*2) 

VK  ( ( 1  <K)  a  (K<N-1 )  :>A  [K]  <A  [K+l  ] ) 4SAHESET (A ,  A0,  A  [ARBITRARY] ) 

***** 


5. A  A  SAMPLE  PROOF  FOR  ONE  OF  THE  VERIFICATION  CONDITIONS  OF  THE 
PROGRAM  INTERCHANGE  SORT 

Below  we  give  a  proof  of  part  of  the  last  verification  condition  (#6 
from  Section  5.3).  This  proof  was  obtained  by  a  theorem  proving 
program  [Allen  and  Luckham)  from  the  set  of  axioms  and  statements 
shown  below.  This  simple  set  of  axioms  was  found  to  be  sufficient  to 
obtain  proofs  of  all  parts  of  verification  conditions  for  interchange 
sort  not  involving  the  theory  of  permutations. 

Below  P (X)  means  X-l  and  S (K)  means  X+l. 

VAR:  X.Y.Z.K.M.L; 

I NF_PRED:  <,=,<: 

PRE_QP:P,S, A, J,N, 1,2; 

EQUALITY: =: 

AXIOMS:  X<X; 

(X<YaY<Z)-X<Z; 

(X<YaY<X)  -*Y=X; 

X<Y“  (X<Ya->  (X-Y) )  i 
X<YvY<X; 

X<S  (X)  ; 

P (X) <X; 

S  (P  (X) )  -X: 

P  (S  (X) )  -X; 

S ( I ) =2; 

P(2)-l: 

(  (X<YaP (Y) <X) -P ( Y) -X) : 

(X<Y->X<P  (Y) ) ; 

( X < Y -*S  ( X )  <Y)  j 
(X<Y-*P (X) <Y) : 

LEMMA:  J-l ; 

PREMISSES:  ( (S  (J)  <K)  a(K<P(N)  ) ) -A (K)  <A(S(K) ) ; 

( (1<M)a(M<J)a(J<P(N) ))-A(M)<A(S(J) ); 

l£j; 

J<Na->  (  2<J) : 

THEOREM: (VK ) (1<KaK<P (N) ) -A <K) <A (S (K) ) ; 


Note  that  we  have  added  as  hypothesis  the  fact  that  J-l.  The  proof  of 
this  statement  reauired  some  computation  and  was  derived  by  the 
theorem  prover  while  trying  to  prove  the  theorem.  The  proof  that  J-l 
foil ows  be  I ow: 

1  =  Js  1  2 

1  P  (2)  =  I-.AXIOM 

2  P  (2)  =  J;  3  A 

3  I  <  J; AXIOM 

A  1  <  JoP(2)=  J ; 5  G 
5  P (2) =  1; AXIOM 
G  P (2) <  JoP (2) =  J; 7  8 
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7  Y  <  XaP (X) £  YaP(X)»  Y; AXI OM 
S  J  <  2;9  10 
3  X  <  X ; AXIOM 

10  J  <  Xa2  <  XoJ  <  X;  11  12 

11  X  <  YoX  <  YvX  «  Y; AXIOM 

12  -2  <  J; AXIOM  J  -  1;  1  2 


The  proof  of  the  last  verification  condition  follows  (the 
THE0REI12  arises  from  the  negation  of  the  theorem): 


NIL  1  '2 

I  A ( THE0REM2) <  A (S (THE0REM2) ) : 3  4 

3  J  <  JoA(J)<  A  (S  ( J ) ) ; 5  G 

4  X  <  X ;  AX  I  Oil 

5  1  <  J; AXIOM 

G  1  <  XaX  <  JoA  (X)  <  A  (S  ( J) ) ;  7  8 
7  J  <  P(N)j9  18 

p ;  i  <  Xa (X  <  JaJ  <  P(N))dA(X)<  A (S ( J) ) : AXIOM 
3  J  I  THEORBO;  1 1  12 

II  J  =  THEQREt ‘2vA ( T HE0REM2 ) <  A  (S  (THE0REM2) ) ;  13  14 

12  -A (THE0REH2) <  A (S  (THL0REM2) ) ; THEOREM 

13  J  =  THEOREMZvS ( J) <  THE0REM2; 15  16 

14  5(J)<  THEUREri2oA(THE0REM2)<  A  (S  ( THE0REM2 ) ) ;  17  18 

15  1  <  THEOREMZvl  =  THE0REM2; 19  20 

16  X  <  YdS (X) <  Y; AXIOM 

17  S  ( J)  <  XaX  <  P  (N)  dA  (X)  <  A  (S  (X) ) ;  AXI  OM 

18  THE0REH2  <  P (N) ; THEOREM 
13  X  <  YdX  <  YvX  =  Y; AXIOM 
20  1  <  THE0REM2: THEOREM 


constant 


5.5  BINARY  TABLE  SEARCH 


In  i  s  example,  from  Clint  and  Hoare  [19723.  is  a  table  lookup  routine 
which  tries  to  find  the  location  of  the  input  X  in  the  array  A.  A  is 
a  sorted  array  of  distinct  elements,  a  fact  denoted  in  the  assertions 
by  SORTED  ( A ) .  If  X  is  not  m  the  array  an  ERROR  exit  is  to  be  taken. 

(Our  conversion  of  their  program  renders  this  as  setting  the  flag 
ERROR  to  TRUE.)  Note  the  use  of  a  go- to  for  leaving  the  while  loop 
and  the  other  cjo-to's.  NC  'NO(X.N.N)  expresses  that  X  ienot  in 
the  array  segment  from  A[N3  to  '?3 .  Th  i  s  program  for  binary  table 
search  is  essentially  the  same  as  the  example  in  Floyd  [19723.  The 
last  verification  condition  is  of  the  form  A  -*  A  because  VCG  does  not 
allow  a  transfer  to  the  EXIT  assertion. 

PASCAL  ENTRY  ( 1«.N)  aSORTEO  (A)  a  (A  [13  <X)  a  (X<A  IN] ) ; 

EXIT  (A  [LOOKUP)  -  X) a (ERROR-FALSE)  v  NOTFOUND  (X.N.N)  a (ERROR  -  TRUE)? 
BEGIN  n-1;  rW);  ERROR-FALSE; 

ASSERT  (M<N)  a  (A  [T1]  <X)  a  (X<A  [N3 )  aSORTEO  (A)  a  (ERROR-FALSE) : 

UHILE  N+l  <N  DO  BEGIN 
I  -  (N+N)  DIV  2; 

IF  X  <  At!)  THEN  N-I  ELSE  IF  A  [1 3  <  X  THEN  N  «-  I 
ELSE  BEGIN  LOOKUP  -  Is  GO  TO  1  ENO 

END; 

IF  A[N3  x  n  THEN  GO  TO  2  ELSE  BEGIN  LOOKUP  -  fl;  GO  TO  1  END? 

2;  ASSERT  NOTFOUND (X. M. N) :  ERROR  -  TRUE; 

1;  ASSERT  (A [LOOKUP!  -  X) a (ERROR-FALSE)  v  N0TF0UN0 (X . M . N )  a(ERR0R  -  TRUE) 
ENO.  ; 


$$$$$ 

PASCAL  PROGRAN  SUCCESSFULLY  PARSEO 


FOR  THE  MAIN  PROGRAN  THE 
8  VERIFICATION  CONDITIONS  ARE: 


ti  1  (1<N) aSORTEO (A) a (A  [13  <X) a (X<A [NT ) 

( 1 <N ) a(A[13<X) a(X<A  [N3 ) aSORTEO (A) a (FALSE -FALSE) 

ti  2  (N<N)  a (A  IN) <X) a (X<A  [N3 ) aSORTEO(A) a (ERROR-FALSE) a (N+1<N) 

*  X<A [ (N+N)  01 V  23 

(N< (N+N)  DIV  2) a (A  [N3  <X) a (X<A [ (N+N)  01 V  23 ) aSORTEO (A) a 
(ERROR-FALSE) 

#  3  (N<N)a(A[N3<X)a(X<A[N3)aSORTEO(A)a(ERROR-FALSE)a(N+1<N)-» 

- (X<A [ (N+N)  DIV  23) -A [(N+N)  01 V  23 <X 

((N+N)  01 V  2<N) a (A  [  (N+N)  01 V  23 <X)a(X<A  [N3 ) aSORTEO (A) a 
(ERROR-FALSE) 
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tt  4  (M<N)  a(A  tM]  <X) a(X<A  IN]  JaSORTED  (A)  a  (ERROR-FALSE)  a  (tt+l<N)-* 

-(X<A  t  CM+N)  D 1 V  2] )  (A  t  (tt+N)  OIV  23<X) 

— * 

(A  [ (tt+N)  D I V  2]-X)a(ERR0R-FALSE)vN0TF0UND(X,H,N)a(ERR0R-TRUE) 
tt  5  U1<N )  A  ( A  m]  <X)  A  (X<A  [N] )  aSORTEO  (A)  A  (ERROR-FALSE)  a-{I1+1<N)  +A  tM]  *11 
NOTFOUND(X.n.N) 

tt  6  m<Nl  A  (A  tm  <X)  A  (X<A  (N) )  aSORTEO  (A)  a  (ERROR-FALSE)  a-> (tt+1 <N)  (A  [til 

(A  1(1]  -X)  a  (ERROR-FALSE)  vNOTFOUNO  (X,  fl,  N)  a  (ERROR-TRUE) 
tt  7  NOTFOUND(X,M,N) 

—t 

( A  (LOOKUP)  =X )  a  ( TRUE-FALSE )  vNOTFOUND  ( X ,  tt,  N)  a  (TRUE-TRUE ) 

tt  S  (A  (LOOKUP) -X ) a (ERROR-FALSE ) vNOTFOUNO  (X , tt , N) a ( ERROR-TRUE ) 

— » 

(A  (LOOKUP) -X) a (ERROR-FALSE) vNOTFOUNO (X.tt.N) a (ERROR-TRUE) 

***** 
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5.6  THE  McCARTHY-PA INTER  COMPILER  AS  A  FUNCTION 

This  example  is  the  McCarthy-Pa i nter  compiler  for  arithmetic 
expressions  [McCarthy  and  Painter  1967]  written  as  a  Pascal  recursive 
function.  The  assertions  given  in  this  example  are  the  same 
statements  that  U.  Diffie  used  when  he  proof-checked  the  published 
probf  of  the  compiler  correctness.  If  a  "library  function"  ALPHA  is 
unknown  to  VCG.  it  prints  a  message  "ALPHA  NOT  FOUND".  For 
precondtions  and  results  of  that  function,  the  names  "PRE_ALPHA"  and 
"RES_ALPHA"  are  invented. 

PASCAL  EXIT  RESULT; 

FUNCTION  COUP  I LE (E: EXPRESSION;  Ts  INTEGER) : CJDE; 

ENTRY  ISEXP(E)a(T>AC)  a  (ISVAR(V)=>{  (LOC  (V.HAP)  <  T)  a  (C  (LOC  (V.MAP) )  -C(V.SRST) ) ) )  5 
EXIT  ( C ( AC , OUTCOME ( COMP I LE (E , T ) , OBST ) ) -VALUE (E.SRST) ) 

A 

( (U<T )  0  (C(U. OBST) =C(U, OUTCOME (COMPILE (E.T), OBST)))); 

BEGIN  IF  I SCONST  (E)  THEN  COMPILE  <-  MKLI  (VAL  (E) ) 

ELSE  IF  ISVAR(E)  THEN  COMPILE  -  MKLOAD (LOC (E , MAP) ) 

ELSE  IF  ISSUM(E)  THEN 
COMPILE  - 

COMP  I LE (SI (E I , T ) *MKSTO  ( T )  ^COMPILE (S2(E) ,  T+l ) #MKADD ( T ) 

END; 

BEGIN  RESULT  -  COMPILE (EXPRESSION,  LENGTH (VARS) ) END.  1 


PASCAL  PROGRAM  SUCCESSFULLY  PARSED 
I SCONST  NOT  FOUND 
ISVAR  NOT  FOUNO 
ISSUM  NOT  FOUND 

51  NOT  FOUND 
I1KSTO  NOT  FOUND 

52  NOT  FOUND 
MKADD  NOT  FOUND 
MKLOAD  NOT  FOUNO 
LOC  NOT  FOUND 


MKLI  NOT  FOUND 


VAL  NOT  FOUND 


FOR  COMPILE  THE 
4  VERIFICATION  CONDITIONS  ARE: 


tt  1  ISEXP  (E)/\(T>AC)a(I SVAR ( V) r> (LOC (V, MAP) <T) /n (C (LOC (V , HAP) ) -C  (V , SRST ) )  )-* 

PRE  _I  SCONST  (E )  a  (RES _I  SCONST  (E )  aI  SCONST  (E ) 

PREJ1KLI  (VAL(E) )aPRE_VAL(E)a(R£S_MKL1  (VAL  (E)  )aRES_VAL(E)-* 

(C  ( AC ,  OUTCOME  (MKLl (VAL (E) ) , OBST) ) -VALUE (E , SRST) ) a 
(U<TdC  (U. OBST) -C (U. OUTCOME (MKL I (VAL (E) ) ,OBST) ) ) ) ) 

U  2  ISEXP  (E)  a(T>AC)  aUSVAR (V) 3 (LOC (V.MAP) <T) a(C (LOC (V.MAP) ) -C (V.SRST) )  )-* 

RES_I  SCONST  (E )  a- I  SCONST  (E )  -*PRE_I  SVAR  (E )  a  (RES  _I  SVAR  (E)  aISVAR  (E) 

PRE  MKLOAO  (LOC  (E, MAP) ) aPRE.LOC (E, MAP) a (RESJKLOAD (LOC (E,  MAP) ) a 
RES_LOC  ( E ,  MAP)  -  (C  ( AC , OUTCOME  (MKLOAO  (LOC  (E ,  MAP) ) , OBST) )  -VALUE  (E ,  SRST ) )  a 
(U<TdC  (U, OBST) -C (U, OUTCOME (MKLOAO (LOC (E . MAP) ) .OBST) ) ) ) ) 

#  3  ISEXP  (E)  a(T>AC)  aUSVAR  (V) d (LOC (V.MAP) <T) a (C (LOC (V.MAP) ) -C (V, SRST) )  )-♦ 

RES  I  SCONST  (E)  a-1  SCONST  (E )  -»RES_I  SVAR  (E)a-ISVAR(E)-»PRE_ISSUM(E)a 
(RES_1SSUM  (E)  aISSUM(E) 

ISEXP  (SI  (E)  )a(T>AC)  a (ISVAR(V)o(LOCt V.MAP)  <T)a(C (LOC (V.MAP)  )-C( V.SRST) )  )  a 
PRE  SI  (E)aPRE_MKSTO(T)aISEXP(S2(E))a(T+1>AC)a(ISVAR(V)d 
(LOC(V,MAP)<T+1)a(C(LOC(V,MAP))-C(V,SRST)))aPRE_S2(E)aPRE_MKADO(T)a 

( (C  (AC, OUTCOME (COMPILE (SI (E) . T) .OBST) ) -VALUE (31 (E) .SRST) ) a(U<Td 
C  (U.  OBST) -C(U. OUTCOME (COMPILE (SI (E) . T) .OBST) ) ) aRES_S1 (E)  aRES_MKSTO  (T)  a 
(C  ( AC ,  OUTCOME  (COMPILE  (S2  (E) .  T+l)  ,OBST) )  -VALUE  (S2  (E)  .SRST) )  a  (U<T+1d 
C  (U ,  OBST )  -C  (U,  OUTCOME  (COMPILE  (S2  (E) ,  T+l ) , OBST ) ) )  aRES_S2  (E)  aRES_MKADD  ( T )  -* 

(C  (AC,  OUTCOME  (COMPILE  (SI  (E)  ,T)*MKSTO(T)*COMPILE(S2(E)  ,T+1)*MKADD(T)  .OBST) )- 
VALUE  (E , SRST) ) a (U<TdC (U, OBST) -C (U. OUTCOME  (COMPILE (SI (E) , T)*MKSTO(T)# 

COMPILE (S2  (E) , T+l)*MKAOD(T) . OBST) ' ) ) ) 

tf  4  ISEXP  (E)  a(T>AC)  a(1SVAR  (V)d(LOC  (V.MAP)  <T)  a (C (LOC (V.MAP) )  -C (V .SRST) ) )-» 

RES_I  SCONST  (E)  a -'1  SCONST  (E )  -RES_1  SVAR  (E)  a-ISVAR  (fc)+RES_ISSUM  (E)  a 
-ISSUM(E) 

(C  (AC,  OUTCOME  (COMPILE, OBST) ) -VALUE (E, SRST)) a 

(U<TdC  (U.OBST) *C (U, OUTCOME (COMPILE, OBST) ) ) 

LENGTH  NOT  FOUND 


FOR  THE  MAIN  PROGRAM  THE 
1  VERIFICATION  CONDITIONS  ARE: 
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1  UNRESTRICTED 

I  sexP  (EXPRESS  1  ON )  a  (LENGTH  (VARS )  >AC )  a  (I SVAR  (V )  3  (LOC  (V , HAP)  <LENGTH  ( VARS ) )  a 
( C  ( LOC ( v , MAP ) : - : ( V , SRST ) ) ) aPRE.LENGTH ( VARS ) a 
( (C (AC , OUTCOME iCOMP I LE  (EXPRESS  1  ON , LENGTH (VARS) ) , OBST) ) - 
VALUE (EXPRESSION. SRST) ) a(U<LENGTH  (VARSJ^C (U.CBST) - 

C (U . OUTCOME (COMP  1 LE (EXPRESS1 ON. LENGTH  (VARS) ) ,  OBST) ) ) aRES.LENGTH  (VARS )  -» 
COMP  1 LE  (EXPRESS 1  ON . LENGTH ( V ARS ) ) ) 
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